[Openstack-security] [Bug 1450798] Re: Multiple command injection vulns in schema_diff tool

Roman Podoliaka rpodolyaka+bugs at mirantis.com
Wed Aug 5 09:35:09 UTC 2015 

** Changed in: nova
   Importance: Undecided => Wishlist

** Changed in: nova
       Status: New => Confirmed

** Changed in: nova
     Assignee: (unassigned) => Roman Podoliaka (rpodolyaka)

** Changed in: nova
       Status: Confirmed => In Progress

** Changed in: nova
    Milestone: None => liberty-3

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1450798

Title:
  Multiple command injection vulns in schema_diff tool

Status in OpenStack Compute (nova):
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  These lines in the latest Nova (as of May 1, 2015) are vulnerable to
  command injection

  https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L86
  https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L103
  https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L117

  
  In this case (https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L86 ), if a malicious filename such as "; rm -rf /etc" is provided, the /etc directory will be removed with the privileges of the user running this script.

  In this case
  (https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L103),
  if either a malicious name or filename are provided, the command will
  be executed with the privileges of the running user.

  In this
  case(https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L117),
  if either a malicious name or filename are provided, the command will
  be executed with the privileges of the running user.

  
  I'm not familiar enough with the usage of this module to know all of the places these inputs can come from, but presumably it can be used in automation, potentially with elevated privileges.  I'm sure the idea of this script is to allow certain functionality, not unrestricted commands.  The way this has been developed allows unrestricted command execution by tampering with any of the above mentioned inputs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1450798/+subscriptions

More information about the Openstack-security mailing list