OpenStack Compute (nova)

xenstore.py xapi plugin uses potentially insecure shell=True

Bug #746731 reported by Johannes Erdfelt on 2011-03-31

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Josh Kearney	OpenStack Compute (nova) 2011.2 "cactus"

Bug Description

This is a similar bug to LP726359.

plugins/xenserver/xenapi/etc/xapi.d/xenstore.py includes a function _run_command that uses Popen with shell=True. This can be potentially a security problem, especially considering it appears unescaped user data is used to construct the command to be executed.

Related branches

lp:~jk0/nova/lp746731

Merged into lp:~hudson-openstack/nova/trunk at revision 952

Sandy Walsh (community): Approve on 2011-04-07

Cory Wright (community): Approve on 2011-04-06

Johannes Erdfelt (community): Approve on 2011-04-06

Revision history for this message

Johannes Erdfelt (johannes.erdfelt) wrote on 2011-03-31:

#1

lp746731.patch Edit (3.3 KiB, text/plain)

Here is my first stab at a patch for the problem.

The code depends on using the shell in two ways:
1) It creates a space delimited string with all of the arguments
2) In one case it uses shell variables to get the status of a command

The patch changes the code to pass a list of arguments as well returning a status code for the command.

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-04-01:

#2

Thanks for reporting this issue ! Could you point to the user data that could be used unescaped in that command ? I couldn't find an obvious path. Setting to Medium importance, but ready to escalate to High/Critical if there is an exploitation path.

Changed in nova:
importance:	Undecided → Medium
status:	New → Confirmed
visibility:	private → public

Revision history for this message

Johannes Erdfelt (johannes.erdfelt) wrote on 2011-04-01:

#3

It depends on how the network info can be manipulated. The code to write vm-data/networking ends up writing JSON, but that won't correctly escape any apostrophes.

I'm not completely familiar with how things like DNS servers and other data get set, but that may or may not be a means to get user data through.

But if/when vm-data/hostname is set, that might provide a very easy way to exploit.

So while I'm not positive there is an exploit right now, it could be a time bomb waiting for a future feature to open an exploit.

Revision history for this message

Thierry Carrez (ttx) wrote on 2011-04-01:

#4

I agree it should definitely be fixed before someone gets more creative than we do :)

Revision history for this message

Johannes Erdfelt (johannes.erdfelt) wrote on 2011-04-04:

#5

Here's an updated version of the patch. It just cleans up some formatting.

Revision history for this message

Johannes Erdfelt (johannes.erdfelt) wrote on 2011-04-04:

#6

lp746731.patch Edit (3.3 KiB, text/plain)

Here's an updated version of the patch. It just cleans up some formatting.

Josh Kearney (jk0) on 2011-04-06

Changed in nova:
status:	Confirmed → In Progress
assignee:	nobody → Josh Kearney (jk0)

Josh Kearney (jk0) on 2011-04-07

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2011-04-21

Changed in nova:
status:	Fix Committed → Fix Released
milestone:	none → 2011.2

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.