Authenticated RCE in blazar-dashboard via python expression in POST parameters
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Blazar |
Fix Released
|
Critical
|
Pierre Riteau |
Bug Description
#Description
Several endpoints in blazar-dashboard use the python `eval` function to parse raw user input which is expected to be in JSON format. This can be exploited by an authenticated user to gain arbitrary code execution on the Horizon host.
#Reproduction
- Log into Horizon (blazar_dashboard must be installed and enabled)
- Navigate to `Admin` -> `Reservation` -> `Hosts`
- Click `+ Create Hosts`
- Enter a python expression in the text area under `Extra Capabilities`
-- It is also possible to execute python code containing multiple statements by wrapping it into an `exec('<python code>')` call
-- The attached video shows how a reverse shell can be achieved using this payload: `exec('import pty;import socket,
- Click `Create Hosts`
#Suggested fix
1.) Use `json.loads` instead of `eval` to parse JSON data
Only the `extra_caps` parameter could be tested due to problems with the local testing setup. However, the attached patch replaces all 4 usages of `eval` within the blazar_dashboard project, as they seem likely to contain additional vulnerabilities.
Please note that this change will break some hopefully unused functionality, like:
- arithmetic expressions in property values
```
{
"key": 1300 + 37
}
```
- pseudo JSON using single quotes instead of double quotes
```
{
'key': 1337
}
```
information type: | Private Security → Public Security |
Changed in blazar: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
assignee: | nobody → Pierre Riteau (priteau) |
Replacing all instances of `eval` with json.parse