Remote Code Execution on saveConfig

[operatorequals]

In line:
https://github.com/E2OpenPlugins/e2openplugin-OpenWebif/blob/1.2.4/plugin/controllers/models/config.py#L150
the eval() call blindly executes any user supplied data.
For example a remote unauthenticated attacker can use the following GET request to create a root-owned file under /tmp/ on a "Dreambox 800HD se" device:

GET /api/saveconfig?key=__import__(%27os%27).system(%27touch%20%2Ftmp%2Fpy100%20%26%27)&value=10&_=1496061368064 HTTP/1.1
Host: 192.168.0.2
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://192.168.0.2/
Connection: close

We will be requesting a CVE for this issue and will report the CVE number once this becomes available, for issue coordination purposes.

[jbleyel]

first shot:
NOT tested!!!!

web.py new P_saveconfig

def P_saveconfig(self, request):
	res = self.testMandatoryArguments(request, ["key", "value"])
	if res:
		return res
	key = request.args["key"][0]
	if "/" in key or "%" in key or " " in key:
		return {
			"result": False
			}
	return saveConfig(request.args["key"][0], request.args["value"][0])

[jbleyel]

AND/OR
...
if key.startswith( 'config.' ):
...

[jbleyel]

	def P_saveconfig(self, request):
		res = self.testMandatoryArguments(request, ["key", "value"])
		if res:
			return res
		key = request.args["key"][0]
		if "/" in key or "%" in key or " " in key or not key.startswith("config."):
			return {
				"result": False
				}
		return saveConfig(request.args["key"][0], request.args["value"][0])

[Schimmelreiter]

Do we need any chars except alphanumeric and "." inside a key?
Can't we also test of that key exists?

What will happen with values?

[jbleyel]

Values can be ignored.
We can also test the second part of the key.
config.xxx.
xxx must be exist. -> see config.py getConfigsSections
But these sections needs to be cached.

[jbleyel]

Then we can check the length of the 3rd part : max 30 or 50
And we can use POST for the save request.

[Schimmelreiter]

Will you test and push those changes?

[operatorequals]

This issue has been assigned the CVE 2017-9807.

[jbleyel]

Ich hab grad keine Zeit zum testen.

[operatorequals]

Maybe the below snippet:

from string import lowercase
accepted = lowercase + '.'    # "abcdefghijklmnopqrstuvwxyz."
not all([c in accepted for c in key] )
# Returns True if ANY non legitimate character exists in "key"

can replace the below check (found in P_saveconfig) in more depth:

# Blacklists the "/", "%" and space (" ") characters.
"/" in key or "%" in key or " " in key
# Returns True if any blacklisted character exists in "key"

This can happen because it whitelists only acceptable characters (lowercase letters and dot), and returns True if any non-acceptable character exists in the key parameter.

[Schimmelreiter]

Any alphanumeric (capital, non-capital plus digits) plus "." should be acceptable.

[operatorequals]

Pardon me, I am new to the project!
Then my code snippet can be transformed like follows:

from string import letters, digits
accepted = letters + digits + '.'    # "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789."
not all([c in accepted for c in key] )
# Returns True if ANY non legitimate character exists in "key"

The string constants are available here: https://docs.python.org/2/library/string.html

[operatorequals]

Or much better use the ascii_letters constant as is not dependent on running system's Locale.
Transformed snippet:

from string import ascii_letters, digits
accepted = ascii_letters + digits + '.'    # "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789."
not all([c in accepted for c in key] )
# Returns True if ANY non legitimate character exists in "key"

As my system has an English Locale the difference cannot be seen in those two snippets right away, but if run on a different Locale system (a Greek one for example) the check I previously posted will always fail for legitimate key values.

I believe that this one is as safe as it gets when comes to Locale issues...

[jbleyel]

I think there is a easy way.
Step 1: Split the key string by . and check count (eq 3)
Step 2: check the 1. value / must equal "config"
Step 3: check the second part / must be one of (config.py getConfigsSections)
Step 4: check the third part / black list letters (#/%)

[jbleyel]

	def P_saveconfig(self, request):
		res = self.testMandatoryArguments(request, ["key", "value"])
		if res:
			return res
		key = request.args["key"][0]
		keys = key.split('.')
		if len(keys) = 3 and keys[0] = 'config':
			sect = getConfigsSections['sections']
			if keys[1] in sect:
				if "/" not in key[2] and "%" not in key[2]:
					return saveConfig(key, request.args["value"][0])
		return {
			"result": False
			}

[jbleyel]

UPDATE:
getConfigsSections do not work as expected.

	def P_saveconfig(self, request):
		res = self.testMandatoryArguments(request, ["key", "value"])
		if res:
			return res
		key = request.args["key"][0]
		if "/" not in key and "%" not in key and "." in key:
			keys = key.split('.')
			if len(keys) == 3 and keys[0] == 'config':
				return saveConfig(key, request.args["value"][0])
		return {"result": False}

[Schimmelreiter]

Sounds good to me.

[jbleyel]

I will also switch to POST for this request.