[Openstack-security] [Bug 1613901] Re: String "..%c0%af" causes 500 errors in multiple locations in Keystone v3

Steve Martinelli 1613901 at bugs.launchpad.net
Wed Aug 17 02:39:58 UTC 2016 

** Changed in: keystone
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1613901

Title:
  String "..%c0%af" causes 500 errors in multiple locations in Keystone
  v3

Status in OpenStack Identity (keystone):
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:

  While doing some testing on Keystone using Syntribos
  (https://github.com/openstack/syntribos), our team (myself, Michael
  Dong, Rahul U Nair, Vinay Potluri, Aastha Dixit, and Khanak Nangia)
  noticed that we got 500 status codes when the string "..%c0%af" was
  inserted in various places in the URL for different types of requests.

  Here are some examples:

  =========

  DELETE /v3/policies/..%c0%af HTTP/1.1
  Host: [REDACTED]:5000
  Connection: close
  Accept-Encoding: gzip, deflate
  Accept: application/json
  User-Agent: python-requests/2.11.0
  X-Auth-Token: [REDACTED]
  Content-Length: 0

  HTTP/1.1 500 Internal Server Error
  Date: Tue, 16 Aug 2016 22:04:27 GMT
  Server: Apache/2.4.7 (Ubuntu)
  Vary: X-Auth-Token
  X-Distribution: Ubuntu
  x-openstack-request-id: req-238fd5a9-be45-41f2-893a-97b513b27af3
  Content-Length: 143
  Connection: close
  Content-Type: application/json

  {"error": {"message": "An unexpected error prevented the server from
  fulfilling your request.", "code": 500, "title": "Internal Server
  Error"}}

  =========

  PATCH /v3/policies/..%c0%af HTTP/1.1
  Host: [REDACTED]:5000
  Connection: close
  Accept-Encoding: gzip, deflate
  Accept: application/json
  User-Agent: python-requests/2.11.0
  Content-type: application/json
  X-Auth-Token: [REDACTED]
  Content-Length: 70

  {"type": "--serialization-mime-type--", "blob": "--serialized-blob--"}

  HTTP/1.1 500 Internal Server Error
  Date: Tue, 16 Aug 2016 22:05:36 GMT
  Server: Apache/2.4.7 (Ubuntu)
  Vary: X-Auth-Token
  X-Distribution: Ubuntu
  x-openstack-request-id: req-57a41600-02b4-4d2a-b3e9-40f7724d65f2
  Content-Length: 143
  Connection: close
  Content-Type: application/json

  {"error": {"message": "An unexpected error prevented the server from
  fulfilling your request.", "code": 500, "title": "Internal Server
  Error"}}

  =========

  GET /v3/domains/0426ac1e48f642ef9544c2251e07e261/groups/..%c0%af/roles HTTP/1.1
  Host: [REDACTED]:5000
  Connection: close
  Accept-Encoding: gzip, deflate
  Accept: application/json
  User-Agent: python-requests/2.11.0
  X-Auth-Token: [REDACTED]

  HTTP/1.1 500 Internal Server Error
  Date: Tue, 16 Aug 2016 22:07:09 GMT
  Server: Apache/2.4.7 (Ubuntu)
  Vary: X-Auth-Token
  X-Distribution: Ubuntu
  x-openstack-request-id: req-02313f77-63c6-4aa8-a87e-e3d2a13ad6b7
  Content-Length: 143
  Connection: close
  Content-Type: application/json

  {"error": {"message": "An unexpected error prevented the server from
  fulfilling your request.", "code": 500, "title": "Internal Server
  Error"}}

  =========

  I've marked this as a security issue as a precaution in case it turns
  out that there is a more serious vulnerability underlying these
  errors. We have no reason to suspect that there is a greater
  vulnerability at this time, but given the many endpoints this seems to
  affect, I figured caution was worthwhile since this may be a
  framework-wide issue. Feel free to make this public if it is
  determined not to be security-impacting.

  Here is a (possibly incomplete) list of affected endpoints. Inserting
  the string "..%c0%af" in any or all of the spots labeled "HERE" should
  yield a 500 error. As you can see, virtually all v3 endpoints exhibit
  this behavior.

  =========

  [GET|PATCH|DELETE] /v3/endpoints/[HERE]

  [GET|PATCH]       /v3/domains/[HERE]
  GET               /v3/domains/[HERE]/groups/[HERE]/roles
  [HEAD|PUT|DELETE] /v3/domains/[HERE]/groups/[HERE]/roles/[HERE]
  GET               /v3/domains/[HERE]/users/[HERE]/roles
  [HEAD|DELETE]     /v3/domains/[HERE]/users/[HERE]/roles/[HERE]

  [GET|PATCH|DELETE] /v3/groups/[HERE]
  [HEAD|PUT|DELETE]  /v3/groups[HERE]/users/[HERE]

  [POST|DELETE] /v3/keys/[HERE]

  [GET|PATCH|DELETE] /v3/policies/[HERE]
  [GET|PUT|DELETE]   /v3/policies/[HERE]/OS-ENDPOINT-POLICY/endpoints/[HERE]
  [GET|HEAD]         /v3/policies/[HERE]/OS-ENDPOINT-POLICY/policy
  [GET|PUT|DELETE]   /v3/policies/[HERE]/OS-ENDPOINT-POLICY/services/[HERE]
  [PUT|DELETE]       /v3/policies/[HERE]/OS-ENDPOINT-POLICY/services/[HERE]
  [GET|PUT|DELETE]   /v3/policies/[HERE]/OS-ENDPOINT-POLICY/services/regions/[HERE]

  [GET|PATCH|DELETE] /v3/projects/[HERE]
  [DELETE|PATCH]     /v3/projects/[HERE]/cascade
  GET                /v3/projects/[HERE]/groups/[HERE]/roles
  GET                /v3/projects/[HERE]/users/[HERE]/roles
  [HEAD|PUT|DELETE]  /v3/projects/[HERE]/groups/[HERE]/roles/[HERE]

  [GET|PATCH|DELETE] /v3/regions/[HERE]

  [PATCH|DELETE] /v3/roles/[HERE]

  [GET|PATCH|DELETE] /v3/services/[HERE]

  [GET|PATCH|DELETE] /v3/users/[HERE]
  GET /v3/users/[HERE]/groups
  POST /v3/users/[HERE]/password
  GET /v3/users/[HERE]/projects

  GET                /v3/OS-OAUTH1/users/[HERE]/access_tokens/[HERE]/roles/[HERE]
  [GET|PATCH|DELETE] /v3/OS-OAUTH1/consumers/[HERE]
  [GET|DELETE]       /v3/OS-OAUTH1/users/[HERE]/access_tokens/[HERE]

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1613901/+subscriptions

More information about the Openstack-security mailing list