command injection on the host via the xmlrpc api
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cobbler (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
maas-provision (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
It appears as if the power_system method exposed in the xmlrpc api is vulnerable to command injection through either the system handle(I am not sure about this one :-)) the provided password or the username.
The api.py code features the following:
def power_on(self, system, user=None, password=None, logger=None):
"""
Powers up a system that has power management configured.
"""
return action_
and in action_power.py the following code is found under the 'power' method
def power(self, desired_state):
...
template = self.get_
meta = utils.blender(
# allow command line overrides of the username/password
if self.force_user is not None:
if self.force_pass is not None:
tmp = templar.
cmd = tmp.render(
cmd = cmd.strip()
...
# use shell so we can have mutliple power commands chained together
cmd = ['/bin/sh','-c', cmd]
# Try the power command 5 times before giving up.
# Some power switches are flakey
for x in range(0,5):
output, rc = utils.subproces
see [0] for some of the source code in the utils.subprocess_sp method.
while the shell=False is passed (eventually) through to the subprocess.Popen method, as the shell /bin/sh[1] has been provided in front of the command passed in shell meta-characters will be actually be a problem. As far as I can tell the template cmd rendering will not strip out shell meta-characters and opens up a command injection attack vector.
[0] utils.subproces
def subprocess_
if logger is not None:
try:
sp = sub_process.
...
[1] To verify that this is the case you test it out -->
>>> import subprocess
>>> subprocess.
<subprocess.Popen object at 0x7f0ecaa92b50>
>>> lol
sh-4.1$
CVE References
visibility: | private → public |
Changed in maas-provision (Ubuntu): | |
importance: | Undecided → High |
Changed in cobbler (Ubuntu): | |
importance: | Undecided → High |
Changed in maas-provision (Ubuntu): | |
status: | New → Confirmed |
Changed in cobbler (Ubuntu): | |
status: | Confirmed → Fix Committed |
Without hitting the xmlrpc directly(just using a local python test script) I was able to inject shell commands by providing the following user-name:
";my command goes here ;" (when the power_rsa.template file was the selected power template).