Arbitrary shell remote execution on discovery image
|Assigned To:||Lukas Zapletal|
|Target version:||Image 3.3.2|
|Velocity based estimate||-|
It is possible to remote exec arbitrary shell code on discovered satellite note running foreman-discovery-image (all versions).
There is a API to initiate kexec command to replace kernel into Anaconda instlaler to start provisioning. This API is public, unauthenticated, plain HTTPS, accepts JSON, example:
"append": "ks=http://hao-xxxcom:8000/unattended/provision?token=23edd325-7fe4-4992-99ea-059296565b4a&static=yes kssendmac nicdelay=5 ip=192.168.100.197 netmask=255.255.255.0 gateway=192.168.100.1 dns=192.168.100.167 ksdevice=52:54:00:30:58:ba BOOTIF=00-52-54-00-30-58-ba"
The kexec command is composed and executed via Ruby system command (which indeed spawns a shell) and there is no shell escaping, the vulnerability is pretty clear. The reason why this happened is because the method was used only internally (for shutdown command) and then it was extended:
While this is remote execution and it is pretty serious, keep in mind that discovered hosts are LiveCD running from memory, there is no possible data leak directly from them. The hosts can be abused tho.