yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Information type changed from Private Security to Public

** Changed in: horizon
       Status: New => Invalid

** Changed in: ossa
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1409973

Title:
  Openstack dashboard data is corrupted, and does not permit login /
  load dashboard after hack

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Advisories:
  Invalid

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added as to
  the bug as attachments.

  This hack is an adhoc test performed randomly twice on 2 different
  setups, and this resulted in exposing the entire openstack django
  settings on http://<ip>/admin/ once and corrupts the project data
  twice making the user unauthorized.

  major impact is user lost hist project association and system is not
  able to retrieve the project list.

  lso noticed, that this issues might have been triggered due to the
  amount of load given by the burp suite (intruder), see the steps for
  details on how to reproduce.

  Tools: Burp Suite (Spider & Intruder)

  Steps:
  1. Open Burp Suite and enable proxy intercept on
  2. open web browser on the same host, and change proxy to localhost:8080 (burp proxy)
  3. goto browser and open http://<ip>/
  4. once you login, create new projects or associate admin user to some projects
  5. make sure you are able to access all links on your left pane
  Note: for each request manually forward the same in burp
  6. Now click on the following urls and select add to scope and again select spider from here

  http://<ip>/auth/login
  http://<ip>/admin
  http://<ip>/project/access_and_security/security_groups/1/

  once the spider is running, make sure it prompts you for login forms,
  and always provide invalid passwords

  7. submit all login forms with invalid passwords and usernames as it prompts for 5 - 10 forms
  8. now go to intruder, and
  select numbers as 1st payload for first attack
  select null payload as 1st payload for second attack
  make sure both attacks run parallel

  number payload configuration:
  sequential
  from: -12343
  to: 123432
  step: 1
  min int digits: 1
  max int digits: 123432
  min fraction: 2
  max fraction: 7

  payload processing:
  add suffix 1
  match [0] replace with [1]
  add prefix 0

  url encode : default values

  null payload configuration:
  payload options: continue indefinitely
  payload processing: Default (None)

  9. once spider and intruder run parallely, wait for 15 mins, then try manually login to http://<ip>/
  this will throw errors during login, following errors are noticed.

  1. user is not associated with any projects, thus not authorized to login
  2. user is not authorized to see dashboard after login
  3. unauthorized: unable to retrieve project list

  So the burp attack is disrupting openstack projects and user logins.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1409973/+subscriptions