Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The Repos feature is vulnerable to commands injection attack [CVE-2017-1000469] #1845

Closed
0xabe-io opened this issue Oct 19, 2017 · 5 comments · Fixed by #1889
Closed

The Repos feature is vulnerable to commands injection attack [CVE-2017-1000469] #1845

0xabe-io opened this issue Oct 19, 2017 · 5 comments · Fixed by #1889

Comments

@0xabe-io
Copy link

In the Repos feature, Cobbler does not sanitize its user input; as a result, it is possible to execute arbitrary commands by specifying a malformed repository mirror during its creation or edition. As the service runs as root, it is thus possible to leak sensitive information and gain remote root access on the machine that runs Cobbler.

Sample of a malicious input, entered in the Mirror field in the Adding a Repo form:

/etc/passwd;id & echo /

Then a Reposync action has to be executed to trigger the malicious command to run. Its output can be seen in the log of the action, which is in the Events page.

To fix this issue, we would suggest to filter the user input to remove none valid path characters. Additionally, it would be advisable to run rsync command, if not the entire service, as an unprivileged user.

This issue has been verified on versions up to 2.8.2.

@whindes
Copy link

whindes commented Nov 24, 2017

Has anyone recreated this issue? Seems important to follow up. Was there a pull request to solve this issue or is there a fork to review the suggested filter? Thanks for reporting this issue @0xabe-io - Cheers!

@0xabe-io
Copy link
Author

Hi @whindes,

No I don't have any fix for that issue.

The injection has been tested on an old 1.6.X version as well as the 2.8.2.

@abergmann
Copy link

CVE-2017-1000469 was assigned to this issue.

@0xabe-io 0xabe-io changed the title The Repos feature is vulnerable to commands injection attack The Repos feature is vulnerable to commands injection attack [CVE-2017-1000469] Jan 8, 2018
@dolevf
Copy link

dolevf commented Jun 19, 2018

hi team,

please note that this is still injectable via both createflags and yumdownloader setting:

cmd = "%s %s --config=%s --repoid=%s --download_path=%s" % (cmd, self.rflags, temp_file, pipes.quote(repo.name), pipes.quote(self.settings.webdir + "/repo_mirror"))

cmd = "%s %s %s --disablerepo=* --enablerepo=%s -c %s --destdir=%s %s" % (cmd, extra_flags, use_source, pipes.quote(repo.name), temp_file, pipes.quote(dest_path), " ".join(repo.rpm_list))

rpm -qa:
cobbler-web-2.8.3-2.el7.noarch
cobbler-2.8.3-2.el7.x86_64

@dave-mccowan
Copy link

Does this bug and fix affect only the webui? Or also the CLI interface?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants