Ubuntu
cobbler package

command injection on the host via the xmlrpc api

Bug #978999 reported by David
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cobbler (Ubuntu)
Fix Released
High
Unassigned
maas-provision (Ubuntu)
Invalid
High
Unassigned

Bug Description

It appears as if the power_system method exposed in the xmlrpc api is vulnerable to command injection through either the system handle(I am not sure about this one :-)) the provided password or the username.

The api.py code features the following:
    def power_on(self, system, user=None, password=None, logger=None):
        """
        Powers up a system that has power management configured.
        """
        return action_power.PowerTool(self._config,system,self,user,password,logger=logger).power("on")

and in action_power.py the following code is found under the 'power' method

    def power(self, desired_state):
      ...
      template = self.get_command_template()
        template_file = open(template, "r")

        meta = utils.blender(self.api, False, self.system)
        meta["power_mode"] = desired_state

        # allow command line overrides of the username/password
        if self.force_user is not None:
           meta["power_user"] = self.force_user
        if self.force_pass is not None:
           meta["power_pass"] = self.force_pass

        tmp = templar.Templar(self.api._config)
        cmd = tmp.render(template_file, meta, None, self.system)
        template_file.close()

        cmd = cmd.strip()
        ...
        # use shell so we can have mutliple power commands chained together
        cmd = ['/bin/sh','-c', cmd]

        # Try the power command 5 times before giving up.
        # Some power switches are flakey
        for x in range(0,5):
            output, rc = utils.subprocess_sp(self.logger, cmd, shell=False)
      see [0] for some of the source code in the utils.subprocess_sp method.

while the shell=False is passed (eventually) through to the subprocess.Popen method, as the shell /bin/sh[1] has been provided in front of the command passed in shell meta-characters will be actually be a problem. As far as I can tell the template cmd rendering will not strip out shell meta-characters and opens up a command injection attack vector.

[0] utils.subprocess_sp(found in utils.py) just does the following -->
def subprocess_sp(logger, cmd, shell=True):
    if logger is not None:
        logger.info("running: %s" % cmd)
    try:
        sp = sub_process.Popen(cmd, shell=shell, stdout=sub_process.PIPE, stderr=sub_process.PIPE, close_fds=True)
        ...

[1] To verify that this is the case you test it out -->
>>> import subprocess
>>> subprocess.Popen(["/bin/sh", "-c", "echo lol && /bin/sh"], shell=False)
<subprocess.Popen object at 0x7f0ecaa92b50>
>>> lol
sh-4.1$

CVE References

Revision history for this message
David (d--) wrote :

Without hitting the xmlrpc directly(just using a local python test script) I was able to inject shell commands by providing the following user-name:

";my command goes here ;" (when the power_rsa.template file was the selected power template).

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. I have filed a bug with upstream:
https://github.com/cobbler/cobbler/issues/141

Changed in cobbler (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Dave,

Can you check to see how this affects maas-provision?

David (d--)
visibility: private → public
Revision history for this message
David (d--) wrote :

I wasn't aware of the existence of maas-provision. What exactly is it?

Revision history for this message
David (d--) wrote :

Ah right it is https://launchpad.net/maas (/me answering my own question).

James Page (james-page)
Changed in maas-provision (Ubuntu):
importance: Undecided → High
Changed in cobbler (Ubuntu):
importance: Undecided → High
Revision history for this message
Steve Beattie (sbeattie) wrote :

I believe upstream attempted to address this in https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf

Andres Rodriguez (andreserl)
Changed in maas-provision (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

David, sorry, my question regarding maas-provision was directed at Dave Walker.

Dave Walker, does maas utilize the power_system method?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

AppArmor mitigates this in maas-provision.

Changed in maas-provision (Ubuntu):
status: Confirmed → Invalid
Timo Aaltonen (tjaalton)
Changed in cobbler (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.4.0-0ubuntu2

---------------
cobbler (2.4.0-0ubuntu2) saucy; urgency=low

  * cobbler-web.postinst: Generate a random key for SECURITY_KEY in settings.py.
 -- Timo Aaltonen <email address hidden> Thu, 29 Aug 2013 19:32:56 +0300

Changed in cobbler (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.