Ubuntu Cloud Archive

Bug #2059809
Comment #152

Comment 152 for bug 2059809

Revision history for this message

Felix Huettner (felix.huettner) wrote on 2024-06-25: Re: Arbitrary file access through QCOW2 external data file (CVE-2024-32498)

#152

Hi everyone, i think we have another exploit path.

1. Create some normal server and login to it
2. Create an empty volume (on the backend the volume must be created as raw and not as qcow2)
3. Attach the volume to the server
4. Write a malicious qcow2 file to the volume from the VM (so that qemu-img info /dev/vdb works)
5. Create a snapshot from the volume
6. Create a new volume from the snapshot
7. Attach the new volume to the same VM

On our side this fails with the following traceback, but it just need the backing file to be writeable.
I'll try to find out why the volume is not attached as raw, but maybe someone knows more.

Traceback (most recent call last):
  File \"/usr/local/lib/python3.10/dist-packages/oslo_messaging/rpc/server.py\", line 165, in _process_incoming
    res = self.dispatcher.dispatch(message)
  File \"/usr/local/lib/python3.10/dist-packages/oslo_messaging/rpc/dispatcher.py\", line 309, in dispatch
    return self._do_dispatch(endpoint, method, ctxt, args)
  File \"/usr/local/lib/python3.10/dist-packages/oslo_messaging/rpc/dispatcher.py\", line 229, in _do_dispatch
    result = func(ctxt, **new_args)
  File \"/usr/local/lib/python3.10/dist-packages/nova/exception_wrapper.py\", line 65, in wrapped
    with excutils.save_and_reraise_exception():
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 227, in __exit__
    self.force_reraise()
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 200, in force_reraise
    raise self.value
  File \"/usr/local/lib/python3.10/dist-packages/nova/exception_wrapper.py\", line 63, in wrapped
    return f(self, context, *args, **kw)
  File \"/usr/local/lib/python3.10/dist-packages/nova/compute/utils.py\", line 1439, in decorated_function
    return function(self, context, *args, **kwargs)
  File \"/usr/local/lib/python3.10/dist-packages/nova/compute/manager.py\", line 211, in decorated_function
    with excutils.save_and_reraise_exception():
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 227, in __exit__
    self.force_reraise()
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 200, in force_reraise
    raise self.value
  File \"/usr/local/lib/python3.10/dist-packages/nova/compute/manager.py\", line 201, in decorated_function
    return function(self, context, *args, **kwargs)
  File \"/usr/local/lib/python3.10/dist-packages/nova/compute/manager.py\", line 7338, in attach_volume
    do_attach_volume(context, instance, driver_bdm)
  File \"/usr/local/lib/python3.10/dist-packages/oslo_concurrency/lockutils.py\", line 414, in inner
    return f(*args, **kwargs)
  File \"/usr/local/lib/python3.10/dist-packages/nova/compute/manager.py\", line 7335, in do_attach_volume
    with excutils.save_and_reraise_exception():
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 227, in __exit__
    self.force_reraise()
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 200, in force_reraise
    raise self.value
  File \"/usr/local/lib/python3.10/dist-packages/nova/compute/manager.py\", line 7333, in do_attach_volume
    return self._attach_volume(context, instance, driver_bdm)
  File \"/usr/local/lib/python3.10/dist-packages/nova/compute/manager.py\", line 7355, in _attach_volume
    with excutils.save_and_reraise_exception():
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 227, in __exit__
    self.force_reraise()
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 200, in force_reraise
    raise self.value
  File \"/usr/local/lib/python3.10/dist-packages/nova/compute/manager.py\", line 7352, in _attach_volume
    bdm.attach(context, instance, self.volume_api, self.driver,
  File \"/usr/local/lib/python3.10/dist-packages/nova/virt/block_device.py\", line 46, in wrapped
    ret_val = method(obj, context, *args, **kwargs)
  File \"/usr/local/lib/python3.10/dist-packages/nova/virt/block_device.py\", line 734, in attach
    self._do_attach(context, instance, volume, volume_api,
  File \"/usr/local/lib/python3.10/dist-packages/nova/virt/block_device.py\", line 719, in _do_attach
    self._volume_attach(context, volume, connector, instance,
  File \"/usr/local/lib/python3.10/dist-packages/nova/virt/block_device.py\", line 662, in _volume_attach
    with excutils.save_and_reraise_exception():
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 227, in __exit__
    self.force_reraise()
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 200, in force_reraise
    raise self.value
  File \"/usr/local/lib/python3.10/dist-packages/nova/virt/block_device.py\", line 657, in _volume_attach
    virt_driver.attach_volume(
  File \"/usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py\", line 2182, in attach_volume
    with excutils.save_and_reraise_exception():
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 227, in __exit__
    self.force_reraise()
  File \"/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py\", line 200, in force_reraise
    raise self.value
  File \"/usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py\", line 2167, in attach_volume
    guest.attach_device(conf, persistent=True, live=live)
  File \"/usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/guest.py\", line 340, in attach_device
    self._domain.attachDeviceFlags(device_xml, flags=flags)
  File \"/usr/local/lib/python3.10/dist-packages/eventlet/tpool.py\", line 193, in doit
    result = proxy_call(self._autowrap, f, *args, **kwargs)
  File \"/usr/local/lib/python3.10/dist-packages/eventlet/tpool.py\", line 151, in proxy_call
    rv = execute(f, *args, **kwargs)
  File \"/usr/local/lib/python3.10/dist-packages/eventlet/tpool.py\", line 132, in execute
    six.reraise(c, e, tb)
  File \"/usr/lib/python3/dist-packages/six.py\", line 719, in reraise
    raise value
  File \"/usr/local/lib/python3.10/dist-packages/eventlet/tpool.py\", line 86, in tworker
    rv = meth(*args, **kwargs)
  File \"/usr/local/lib/python3.10/dist-packages/libvirt.py\", line 716, in attachDeviceFlags
    raise libvirtError('virDomainAttachDeviceFlags() failed')
libvirt.libvirtError: internal error: unable to execute QEMU command 'blockdev-add': Could not open '/etc/passwd': Permission denied

Hi everyone, i think we have another exploit path.

On our side this fails with the following traceback, but it just need the backing file to be writeable.
I'll try to find out why the volume is not attached as raw, but maybe someone knows more.