potential arbitrary code execution in the srb volume driver
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Low
|
Jordan Pittier | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
There's a potential arbitrary code execution in the srb volume driver in
cinder.
The offending code is below. At point #1 a value is being read which
comes from /etc/cinder/
hello > /tmp/test.txt` then one can achieve code execution at #2. Obviously it's
a defense in depth thing as one would need to have write access to
/etc/cinder/
out malicious shell characters to prevent any possibility of accidental or
malicious code execution.
/opt/stack/
def _setup_urls(self):
if not self.base_urls:
message = _("No url configured")
raise exception.
with handle_
cmd = 'echo ' + self.base_urls + ' >
def do_setup(self, context):
"""Any initialization the volume driver does while starting."""
base_urls = self.configurat
if base_urls:
To illustrate the issue consider the following:
>>> from oslo_concurrency import processutils as p
>>> bla = "`echo hello > /tmp/test.txt`"
>>> cmd = 'echo ' + bla + ' > /sys/class/
>>> cmd
'echo `echo hello > /tmp/test.txt` > /sys/class/
>>> p.execute(
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File
"/usr/
line 224, in execute
cmd=
oslo_concurrenc
while running command.
Command: sh -c echo `echo hello > /tmp/test.txt` >
/sys/class/
Exit code: 2
Stdout: u''
Stderr: u'sh: 1: cannot create /sys/class/
nonexistent\n'
>>>
$ ls -l /tmp
total 8
-rw-r--r-- 1 stack stack 6 Jan 13 19:18 test.txt
drwx------ 2 stack stack 4096 Jan 13 19:19 vFg4zZS
$ cat /tmp/test.txt
hello
Changed in cinder: | |
importance: | Undecided → Critical |
importance: | Critical → Low |
Changed in cinder: | |
status: | Fix Committed → Fix Released |
Changed in cinder: | |
milestone: | kilo-3 → 2015.1.0 |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.