Glance

Shell injection possibility in cmd/control.py

Bug #1335208 reported by Travis McPeak on 2014-06-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	Undecided	Travis McPeak	Glance 2014.2 "juno"
	OpenStack Security Advisory	Invalid	Undecided	Unassigned

Bug Description

The glance/cmd/control.py file contains a possible shell injection vulnerability: https://github.com/openstack/glance/blob/master/glance/cmd/control.py#L134 . Setting 'shell=True' here opens the possibility of shell injection by setting server to something like '; rm -rf /'. This will cause the command 'rm -rf /' to be run with the privileges of the user that ran Glance.

This may not be a major security concern at this time because the only place that I found for 'server' to come from is a Glance configuration file, which should be locked down. Only privileged users should have write access to the config file, and if they want to do bad things on the system there are easier ways.

Still, 'shell=True' appears to be completely unnecessary for this call. Simply omitting the shell parameter here will cause it to revert to the default behavior, which requires that the command to be run be specified in a separate parameter than the arguments to the command. This effectively prevents shell injection vulnerabilities.

Tags:

Revision history for this message

Nathan Kinder (nkinder) wrote on 2014-06-27:

I've discussed this with Travis, and I don't think that it is a vulnerability given that the person who can inject shell commands is the admin who has write access to the glance config file. On my system, write access is locked down to the "glance" user, which is the same user that the process runs as.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-06-27:

The OSSA task is set to incomplete pending details from security reviewer.
It doesn't look like a real vulnerability as-is, more a security hardening...

However maybe someone will find an attack scenario that would warrant an advisory, like a configuration tool that would allow a regular user to fiddle this parameter.

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-06-30:

It looks like a fix for this would be a welcome strengthening, but it's not really exploitable as-is.
Unless someone complains here in the next few days, we'll open this bug so that it can be publicly fixed in the best delays.

Thierry Carrez (ttx) on 2014-07-07

information type:	Private Security → Public
Changed in ossa:
status:	Incomplete → Invalid
tags:	added: security

Travis McPeak (travis-mcpeak) on 2014-07-18

Changed in glance:
assignee:	nobody → Travis McPeak (travis-mcpeak)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-18: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/108127

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-22: Fix merged to glance (master)

Reviewed: https://review.openstack.org/108127
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=63c606f696170ebf0a38e7650b242c0727342547
Submitter: Jenkins
Branch: master

commit 63c606f696170ebf0a38e7650b242c0727342547
Author: tmcpeak <email address hidden>
Date: Fri Jul 18 11:23:16 2014 -0700

Security hardening: fix possible shell injection vulnerability

The glance/cmd/control.py file contains a possible shell injection
vulnerability:

https://github.com/openstack/glance/blob/master/glance/cmd/control.py#L134 .

    Setting 'shell=True' here opens the possibility of shell injection
    by setting server to something like '; rm -rf /'. This will cause
    the command 'rm -rf /' to be run with the privileges of the user
    that ran Glance.

The fix is to parameterize the input so that the command run here
can only be 'logger'.

Change-Id: If48106ceea1dd582bcec9d03e056d88591bcba8d
Closes-bug: 1335208

Changed in glance:
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2014-07-23

Changed in glance:
milestone:	none → juno-2
status:	Fix Committed → Fix Released

Revision history for this message

Robert Clark (robert-clark) wrote on 2014-07-23:

I have a general concern around this.

In large deployments, the people that configure the service are often not those who run it. Some developers write the configuration files for Glance etc and store them in their chosen config management system, which a 'deployer' later uses to deploy the service etc.

Due to this separation of concerns there is possibility for an attacker who does not have production access (ie some developer) to gain it through abuse of a cmd injection vulnerability such as this one.

The risk is pretty low and I have no objection to this being opened up for public review but it's worth keeping in mind that it's entirely possible that your admin-owned config files running in production were crafted by developers without production access...

Thierry Carrez (ttx) on 2014-10-16

Changed in glance:
milestone:	juno-2 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.