yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1312246] Re: cfntools command injection

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matthias Runge <1312246@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Nov 2015 15:49:19 -0000
Reply-to: Bug 1312246 <1312246@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: horizon
       Status: New => Invalid

** No longer affects: horizon

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1312246

Title:
  cfntools command injection

Status in heat-cfntools:
  Fix Released

Bug description:
  The package heat-cfntools, which are Cloud Formation tools installed
  on instance images, contains a command line injection vulnerability in
  the way it launches a subprocess. The class CommandRunner, in the file
  cfntools/cfn_helper.py, contains the function run that executes the
  command string given in the CommandRunner constructor. It does so by
  creating the following command arguments:

  cmd = ['su', user, '-c', self._command]

  Since `su {user} -c` creates another subprocess it will evaluate and
  execute the self._command string, making is susceptible to command
  line injection. Additionally, su {user} -c must be ran as root in this
  context otherwise the program will wait for the user to input a
  password.

  An example of this can be found in the utility in bin/cfn-signal,
  which signals when an application is ready, by sending a curl request
  containing external input:

  cmd_str = "curl -X PUT -H \'Content-Type:\' --data-binary \'%s\' \"%s\"" % \
      (cfn_helper.json.dumps(body), args.url)

  Although the HTTP Request body is json encoded, the escape sequence \'
  does not escape a single quote around a command line string.
  Additionally, if the second argument, the URL, contains a double quote
  it will also escape from the curl string.

  Examples and steps to reproduce:

  As root, run the following commands:

  cfn-signal -d "some content' http://www.example.com; echo hello>>/tmp/hello; #" http://www.foobar.com
  cfn-signal 'http://www.example.com/?";; echo hello>/tmp/hello; #'

  Where in each example, `echo hello>>/tmp/hello;` will be executed.

  Depending upon how the Heat template was built, if an attacker can
  have input on any arguments in the JSON request body it would be
  possible to inject arbitrary commands ran as root on the instance.
  This, however, is just one example of many calls to CommandRunner
  using input from external resources.

  It is recommended that CommandRunner try to elevate or demote itself
  to the desired user id and then call Popen with an argument list
  containing the command and arguments instead of an inline command and
  argument string such as:

  cmd = ["ls", "-la", "/tmp/"];
  try:
      os.setuid(0);
      subprocess.Popen(cmd);
  except Exception as ex:
      print "Error: %s" % ex

  instead of:

  cmd = ['su', user, '-c', self.command]
  subprocess.Popen(cmd)

  This will require that all CommandRunner calls be changed to a list
  instead of a string throughout the cfntools package.

  Environment:

  Ubuntu 12.04
  OS X Mavericks

To manage notifications about this bug go to:
https://bugs.launchpad.net/heat-cfntools/+bug/1312246/+subscriptions