[Openstack-security] [Bug 1765734] Re: one can bypass filters and execute arbitrary commands on namespaces

OpenStack Infra 1765734 at bugs.launchpad.net
Sat May 12 12:46:36 UTC 2018 

Reviewed:  https://review.openstack.org/564555
Committed: https://git.openstack.org/cgit/openstack/oslo.rootwrap/commit/?id=ed125c0c1cd6168cbf529c94ef81173dedce2726
Submitter: Zuul
Branch:    master

commit ed125c0c1cd6168cbf529c94ef81173dedce2726
Author: Daniel Alvarez <dalvarez at redhat.com>
Date:   Thu Apr 26 18:33:21 2018 +0200

    Make IpNetnsExecFilter more strict to detect aliases
    
    Currently, this filter only takes into account 'ip netns exec' as
    input but this command accepts different aliases like 'ip net e' or
    'ip netn ex', etcetera. This is a security issue since bypassing
    this filter basically allows anyone to execute arbitary commands
    because IpFilter will get hit and there's not going to be any
    further checks against CommandFilters.
    
    Change-Id: I2f6e55de4e60f2d3a6166c2fefbc31e9afc6c26f
    Closes-Bug: 1765734
    Co-Authored-By: Jakub Libosvar <jlibosva at redhat.com>
    Signed-off-by: Daniel Alvarez <dalvarez at redhat.com>


** Changed in: oslo.rootwrap
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1765734

Title:
  one can bypass filters and execute arbitrary commands on namespaces

Status in oslo.rootwrap:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  When this filter [0] is enabled in conjunction with IpNetnsExecFilter,
  only commands allowed explicitly through the CommandFilter should get
  to execute in the specified namespace.

  However, due to the fact that these two commands are exactly the same:

  ip netns exec $namespace echo $my_ssh_key >> /root/.ssh/authorized_keys
  ip net exec $namespace echo $my_ssh_key >> /root/.ssh/authorized_keys

  One can execute the latter without any CommandFilter for the 'echo' command.
  This is a big security issue since anyone can make changes to the filesystem and execute arbitrary commands bypassing the IpNetnsExecFilter.

  The solution is simply patching this code [1] by checking that the
  second element starts with 'net', and the third one starts with 'e'.

  [0] ip: IpFilter, ip, root
  [1] https://github.com/openstack/oslo.rootwrap/blob/0fa59b04e89ad94085780550466368e6f351a9e1/oslo_rootwrap/filters.py#L376

To manage notifications about this bug go to:
https://bugs.launchpad.net/oslo.rootwrap/+bug/1765734/+subscriptions

More information about the Openstack-security mailing list