yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #37548
[Bug 1312246] Re: cfntools command injection
** Changed in: heat-cfntools
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1312246
Title:
cfntools command injection
Status in heat-cfntools:
Fix Released
Status in OpenStack Dashboard (Horizon):
New
Bug description:
The package heat-cfntools, which are Cloud Formation tools installed
on instance images, contains a command line injection vulnerability in
the way it launches a subprocess. The class CommandRunner, in the file
cfntools/cfn_helper.py, contains the function run that executes the
command string given in the CommandRunner constructor. It does so by
creating the following command arguments:
cmd = ['su', user, '-c', self._command]
Since `su {user} -c` creates another subprocess it will evaluate and
execute the self._command string, making is susceptible to command
line injection. Additionally, su {user} -c must be ran as root in this
context otherwise the program will wait for the user to input a
password.
An example of this can be found in the utility in bin/cfn-signal,
which signals when an application is ready, by sending a curl request
containing external input:
cmd_str = "curl -X PUT -H \'Content-Type:\' --data-binary \'%s\' \"%s\"" % \
(cfn_helper.json.dumps(body), args.url)
Although the HTTP Request body is json encoded, the escape sequence \'
does not escape a single quote around a command line string.
Additionally, if the second argument, the URL, contains a double quote
it will also escape from the curl string.
Examples and steps to reproduce:
As root, run the following commands:
cfn-signal -d "some content' http://www.example.com; echo hello>>/tmp/hello; #" http://www.foobar.com
cfn-signal 'http://www.example.com/?"; echo hello>/tmp/hello; #'
Where in each example, `echo hello>>/tmp/hello;` will be executed.
Depending upon how the Heat template was built, if an attacker can
have input on any arguments in the JSON request body it would be
possible to inject arbitrary commands ran as root on the instance.
This, however, is just one example of many calls to CommandRunner
using input from external resources.
It is recommended that CommandRunner try to elevate or demote itself
to the desired user id and then call Popen with an argument list
containing the command and arguments instead of an inline command and
argument string such as:
cmd = ["ls", "-la", "/tmp/"];
try:
os.setuid(0);
subprocess.Popen(cmd);
except Exception as ex:
print "Error: %s" % ex
instead of:
cmd = ['su', user, '-c', self.command]
subprocess.Popen(cmd)
This will require that all CommandRunner calls be changed to a list
instead of a string throughout the cfntools package.
Environment:
Ubuntu 12.04
OS X Mavericks
To manage notifications about this bug go to:
https://bugs.launchpad.net/heat-cfntools/+bug/1312246/+subscriptions