New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The Repos feature is vulnerable to commands injection attack [CVE-2017-1000469] #1845

Closed
0xabe-io opened this Issue Oct 19, 2017 · 5 comments

Comments

Projects
None yet
5 participants
@0xabe-io

0xabe-io commented Oct 19, 2017

In the Repos feature, Cobbler does not sanitize its user input; as a result, it is possible to execute arbitrary commands by specifying a malformed repository mirror during its creation or edition. As the service runs as root, it is thus possible to leak sensitive information and gain remote root access on the machine that runs Cobbler.

Sample of a malicious input, entered in the Mirror field in the Adding a Repo form:

/etc/passwd;id & echo /

Then a Reposync action has to be executed to trigger the malicious command to run. Its output can be seen in the log of the action, which is in the Events page.

To fix this issue, we would suggest to filter the user input to remove none valid path characters. Additionally, it would be advisable to run rsync command, if not the entire service, as an unprivileged user.

This issue has been verified on versions up to 2.8.2.

@whindes

This comment has been minimized.

Show comment
Hide comment
@whindes

whindes Nov 24, 2017

Has anyone recreated this issue? Seems important to follow up. Was there a pull request to solve this issue or is there a fork to review the suggested filter? Thanks for reporting this issue @0xabe-io - Cheers!

whindes commented Nov 24, 2017

Has anyone recreated this issue? Seems important to follow up. Was there a pull request to solve this issue or is there a fork to review the suggested filter? Thanks for reporting this issue @0xabe-io - Cheers!

@0xabe-io

This comment has been minimized.

Show comment
Hide comment
@0xabe-io

0xabe-io Nov 30, 2017

Hi @whindes,

No I don't have any fix for that issue.

The injection has been tested on an old 1.6.X version as well as the 2.8.2.

0xabe-io commented Nov 30, 2017

Hi @whindes,

No I don't have any fix for that issue.

The injection has been tested on an old 1.6.X version as well as the 2.8.2.

@abergmann

This comment has been minimized.

Show comment
Hide comment
@abergmann

abergmann Jan 4, 2018

CVE-2017-1000469 was assigned to this issue.

abergmann commented Jan 4, 2018

CVE-2017-1000469 was assigned to this issue.

@0xabe-io 0xabe-io changed the title from The Repos feature is vulnerable to commands injection attack to The Repos feature is vulnerable to commands injection attack [CVE-2017-1000469] Jan 8, 2018

@jmaas jmaas closed this in #1889 May 3, 2018

@dolevf

This comment has been minimized.

Show comment
Hide comment
@dolevf

dolevf Jun 19, 2018

hi team,

please note that this is still injectable via both createflags and yumdownloader setting:

cmd = "%s %s --config=%s --repoid=%s --download_path=%s" % (cmd, self.rflags, temp_file, pipes.quote(repo.name), pipes.quote(self.settings.webdir + "/repo_mirror"))

cmd = "%s %s %s --disablerepo=* --enablerepo=%s -c %s --destdir=%s %s" % (cmd, extra_flags, use_source, pipes.quote(repo.name), temp_file, pipes.quote(dest_path), " ".join(repo.rpm_list))

rpm -qa:
cobbler-web-2.8.3-2.el7.noarch
cobbler-2.8.3-2.el7.x86_64

dolevf commented Jun 19, 2018

hi team,

please note that this is still injectable via both createflags and yumdownloader setting:

cmd = "%s %s --config=%s --repoid=%s --download_path=%s" % (cmd, self.rflags, temp_file, pipes.quote(repo.name), pipes.quote(self.settings.webdir + "/repo_mirror"))

cmd = "%s %s %s --disablerepo=* --enablerepo=%s -c %s --destdir=%s %s" % (cmd, extra_flags, use_source, pipes.quote(repo.name), temp_file, pipes.quote(dest_path), " ".join(repo.rpm_list))

rpm -qa:
cobbler-web-2.8.3-2.el7.noarch
cobbler-2.8.3-2.el7.x86_64

@dave-mccowan

This comment has been minimized.

Show comment
Hide comment
@dave-mccowan

dave-mccowan Jul 26, 2018

Does this bug and fix affect only the webui? Or also the CLI interface?

dave-mccowan commented Jul 26, 2018

Does this bug and fix affect only the webui? Or also the CLI interface?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment