[Openstack-security] [Bug 1450798] Re: Multiple command injection vulns in schema_diff tool
Travis McPeak
travis.mcpeak at hpe.com
Tue Feb 9 14:51:47 UTC 2016
Hmm, ok. It's still being called with shell=True needlessly, as there
are documented safe ways of doing what you're trying to do here:
https://security.openstack.org/guidelines/dg_avoid-shell-true.html .
Is it possible that it will be used as part of an automated process that
takes input from somewhere that might be user controlled? If so this
can lead to code being run on that box.
If nothing else when poor examples like this begin to make their way out
of the code at least new developers won't copy these patterns to places
that are more mission critical.
That being said, if the idea is that "it isn't run in production so we
don't care", I'll certainly file with that in mind in the future.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1450798
Title:
Multiple command injection vulns in schema_diff tool
Status in OpenStack Compute (nova):
Invalid
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
These lines in the latest Nova (as of May 1, 2015) are vulnerable to
command injection
https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L86
https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L103
https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L117
In this case (https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L86 ), if a malicious filename such as "; rm -rf /etc" is provided, the /etc directory will be removed with the privileges of the user running this script.
In this case
(https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L103),
if either a malicious name or filename are provided, the command will
be executed with the privileges of the running user.
In this
case(https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L117),
if either a malicious name or filename are provided, the command will
be executed with the privileges of the running user.
I'm not familiar enough with the usage of this module to know all of the places these inputs can come from, but presumably it can be used in automation, potentially with elevated privileges. I'm sure the idea of this script is to allow certain functionality, not unrestricted commands. The way this has been developed allows unrestricted command execution by tampering with any of the above mentioned inputs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1450798/+subscriptions
More information about the Openstack-security
mailing list