cfntools command injection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
heat-cfntools |
Fix Released
|
Medium
|
Anant Patil |
Bug Description
The package heat-cfntools, which are Cloud Formation tools installed on instance images, contains a command line injection vulnerability in the way it launches a subprocess. The class CommandRunner, in the file cfntools/
cmd = ['su', user, '-c', self._command]
Since `su {user} -c` creates another subprocess it will evaluate and execute the self._command string, making is susceptible to command line injection. Additionally, su {user} -c must be ran as root in this context otherwise the program will wait for the user to input a password.
An example of this can be found in the utility in bin/cfn-signal, which signals when an application is ready, by sending a curl request containing external input:
cmd_str = "curl -X PUT -H \'Content-Type:\' --data-binary \'%s\' \"%s\"" % \
(cfn_
Although the HTTP Request body is json encoded, the escape sequence \' does not escape a single quote around a command line string. Additionally, if the second argument, the URL, contains a double quote it will also escape from the curl string.
Examples and steps to reproduce:
As root, run the following commands:
cfn-signal -d "some content' http://
cfn-signal 'http://
Where in each example, `echo hello>>/tmp/hello;` will be executed.
Depending upon how the Heat template was built, if an attacker can have input on any arguments in the JSON request body it would be possible to inject arbitrary commands ran as root on the instance. This, however, is just one example of many calls to CommandRunner using input from external resources.
It is recommended that CommandRunner try to elevate or demote itself to the desired user id and then call Popen with an argument list containing the command and arguments instead of an inline command and argument string such as:
cmd = ["ls", "-la", "/tmp/"];
try:
os.setuid(0);
subprocess.
except Exception as ex:
print "Error: %s" % ex
instead of:
cmd = ['su', user, '-c', self.command]
subprocess.
This will require that all CommandRunner calls be changed to a list instead of a string throughout the cfntools package.
Environment:
Ubuntu 12.04
OS X Mavericks
Changed in ossa: | |
status: | New → Incomplete |
no longer affects: | ossa |
Changed in heat-cfntools: | |
assignee: | nobody → Anant Patil (ananta) |
Changed in heat-cfntools: | |
status: | New → Triaged |
importance: | Undecided → Medium |
information type: | Private Security → Public Security |
Changed in heat-cfntools: | |
milestone: | none → v1.4.0 |
Changed in heat-cfntools: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
status: | New → Fix Committed |
status: | Fix Committed → New |
Changed in horizon: | |
status: | New → Invalid |
no longer affects: | horizon |
heat-cfntools is currently not covered by OSSAs (see https:/ /wiki.openstack .org/wiki/ Security_ supported_ projects). We are considering its addition though, but a thorough security audit needs to be conducted and various issues be fixed first.
My inclination here would be to open this bug publicly and get it fixed asap. It's a bit borderline anyway, since the attack scenario is likely to need social engineering to succeed.