There's a potential arbitrary code execution in the srb volume driver in
cinder.
The offending code is below. At point #1 a value is being read which
comes from /etc/cinder/cinder.conf. If this value is set to something like `echo
hello > /tmp/test.txt` then one can achieve code execution at #2. Obviously it's
a defense in depth thing as one would need to have write access to
/etc/cinder/cinder.conf but it's strongly recommended to properly filter
out malicious shell characters to prevent any possibility of accidental or
malicious code execution.
/opt/stack/cinder/cinder/volume/drivers/srb.py
def _setup_urls(self):
if not self.base_urls:
message = _("No url configured")
raise exception.VolumeBackendAPIException(data=message)
with handle_process_execution_error(
message=_LE('Cound not setup urls on the Block
Driver.'),
info_message=_LI('Error creating Volume'),
reraise=False):
cmd = 'echo ' + self.base_urls + ' >
/sys/class/srb/add_urls'
putils.execute('sh', '-c', cmd,
root_helper='sudo', run_as_root=True) <---
#2
self.urls_setup = True
def do_setup(self, context):
"""Any initialization the volume driver does while starting."""
self.backend_name =
self.configuration.safe_get('volume_backend_name')
base_urls = self.configuration.safe_get('srb_base_urls') <-- #1
if base_urls:
base_urls = ','.join(s.strip() for s in
base_urls.split(','))
self.base_urls = base_urls
self._setup_urls()
To illustrate the issue consider the following:
>>> from oslo_concurrency import processutils as p
>>> bla = "`echo hello > /tmp/test.txt`"
>>> cmd = 'echo ' + bla + ' > /sys/class/srb/add_urls'
>>> cmd
'echo `echo hello > /tmp/test.txt` > /sys/class/srb/add_urls'
>>> p.execute("sh","-c",cmd)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File
"/usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py",
line 224, in execute
cmd=sanitized_cmd)
oslo_concurrency.processutils.ProcessExecutionError: Unexpected error
while running command.
Command: sh -c echo `echo hello > /tmp/test.txt` >
/sys/class/srb/add_urls
Exit code: 2
Stdout: u''
Stderr: u'sh: 1: cannot create /sys/class/srb/add_urls: Directory
nonexistent\n'
>>>
$ ls -l /tmp
total 8
-rw-r--r-- 1 stack stack 6 Jan 13 19:18 test.txt
drwx------ 2 stack stack 4096 Jan 13 19:19 vFg4zZS
$ cat /tmp/test.txt
hello
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.