ajaxterm/qweb.py facilitates arbitrary code execution

Bug #917963 reported by Paul McMillan on 2012-01-18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Thierry Carrez

Bug Description

Ajaxterm (by way of qweb [last patched in 2006]) stores session data in a pickle in the system temp directory. It unpickles this file without validation. If an attacker can write to the temp directory (file upload would be a common case, qweb may allow this), qweb will happily unpickle and execute attack code.

The qweb framework has a bunch of other problems (irresponsible use of eval on user provided input, response splitting and various XSS shenanigans being obvious candidates), but this one seems particularly notable. I would suggest that we fix the bug by removing qweb.py (and by extension, ajaxterm) rather than trying to patch its deficiencies.

We have noVNC, which obsoletes ajaxterm pretty effectively.

CVE References

Thierry Carrez (ttx) wrote :

Adding PTL and markmc (as it may impact soon-to-be-released 2011.3.1)

Working on checking how exploitable this is, but at first glance I'd agree that this qweb.py is pretty weak.

Thierry Carrez (ttx) wrote :

Also see bug 787094

Thierry Carrez (ttx) wrote :

This doesn't look directly exploitable (without ability for attacker to create /tmp/qweb_sess_XXXX files) but I would agree that:

* At the very minimum, session files should be created in a different (non world-writeable) session directory
* qweb.py, and by extension ajaxterm, looks like a pretty weak piece of code (and not just in terms of security). If NoVNC really obsoletes it, we should get rid of it
* In all cases we shouldn't copy/ship ajaxterm code in Nova (bug 787094)

markmc, Vish: thoughts ?

Thierry Carrez (ttx) on 2012-01-19
Changed in nova:
importance: Undecided → High
status: New → Confirmed
Mark McLoughlin (markmc) wrote :

Don't think it's worth holding 2011.3.1 up for this, especially given that we don't have a fix yet.

Robert Clark (robert-clark) wrote :

Isn't the fix as simple as removing ajaxterm?

Thierry Carrez (ttx) wrote :

For the release under development, that's definitely an option (I would just like to make sure we can point people to a complete replacement).

But as a stable update to an already-released version (Diablo) that's not really an option, as it could potentially break functionality that some people rely on.

Paul McMillan (paul-mcmillan) wrote :

It's worth pointing out that upstream ajaxterm is basically abandoned and has had open CVEs for a while... Are we at least using the patched Debian version that somewhat fixes the session predictability problem?


Thierry Carrez (ttx) wrote :

Yeah, our version uses server-side session ID so it's not affected. Trying to get some nova-core advice on whether we can easily get rid of it.

Vish Ishaya (vishvananda) wrote :

Now that we have functional vnc, I have no problem killing it.

Thierry Carrez (ttx) wrote :

I'll have a try at removing it. Are we all OK about making this bug public ?

Changed in nova:
assignee: nobody → Thierry Carrez (ttx)
status: Confirmed → In Progress
Thierry Carrez (ttx) wrote :

Proposed patch.
Should I start a thread on the ML before pushing this ?

Paul McMillan (paul-mcmillan) wrote :

I've got no objections to making it public. Ajaxterm is known broken, and while I think some hacking could probably produce an exploit, I haven't done so, and anyone who looks at the code should be able to figure out the same thing.

Thierry Carrez (ttx) wrote :

Discussed with vishy, sounds like a better idea to remove it post-E3, rather than breaking packagers expectations just before.

Thierry Carrez (ttx) wrote :

Opening. Note that this only affects packaging that uses the bundled ajaxterm (Ubuntu uses the packaged one, for example)

Changed in nova:
importance: High → Medium
visibility: private → public
summary: - qweb.py (included with ajaxterm) allows arbitrary code execution
+ ajaxterm/qweb.py facilitates arbitrary code execution
Changed in nova:
milestone: none → essex-4
Thierry Carrez (ttx) wrote :

Will propose once the dust settles on the dead wood thread on the ML

Jesse Andrews (anotherjesse) wrote :

Vishy had assigned the blueprint to me.

Reassigning it to you - I had taken a pass at doing the same thing as your patch.

Looking forward to it landing.

Reviewed: https://review.openstack.org/3850
Committed: http://github.com/openstack/nova/commit/71410724cd1516608ee58c37077bf9080da38de2
Submitter: Jenkins
Branch: master

commit 71410724cd1516608ee58c37077bf9080da38de2
Author: Thierry Carrez <email address hidden>
Date: Tue Feb 7 16:37:34 2012 +0100

    Remove ajaxterm from Nova

    Removes copy of ajaxterm code, nova-ajax-console-proxy,
    and support for get_ajax_console from Nova proper.

    Implements blueprint remove-ajaxterm
    Fixes bug 917963

    Change-Id: I2c0ff427c53c0f63a18b10475d6b4cbe9a085d83

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-02-29
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-4 → 2012.1
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Related blueprints