[Openstack-security] [Bug 1335208] Re: Shell injection possibility in cmd/control.py
Robert Clark
1335208 at bugs.launchpad.net
Wed Jul 23 14:23:40 UTC 2014
I have a general concern around this.
In large deployments, the people that configure the service are often
not those who run it. Some developers write the configuration files for
Glance etc and store them in their chosen config management system,
which a 'deployer' later uses to deploy the service etc.
Due to this separation of concerns there is possibility for an attacker
who does not have production access (ie some developer) to gain it
through abuse of a cmd injection vulnerability such as this one.
The risk is pretty low and I have no objection to this being opened up
for public review but it's worth keeping in mind that it's entirely
possible that your admin-owned config files running in production were
crafted by developers without production access...
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1335208
Title:
Shell injection possibility in cmd/control.py
Status in OpenStack Image Registry and Delivery Service (Glance):
Fix Released
Status in OpenStack Security Advisories:
Invalid
Bug description:
The glance/cmd/control.py file contains a possible shell injection
vulnerability:
https://github.com/openstack/glance/blob/master/glance/cmd/control.py#L134
. Setting 'shell=True' here opens the possibility of shell injection
by setting server to something like '; rm -rf /'. This will cause the
command 'rm -rf /' to be run with the privileges of the user that ran
Glance.
This may not be a major security concern at this time because the only
place that I found for 'server' to come from is a Glance configuration
file, which should be locked down. Only privileged users should have
write access to the config file, and if they want to do bad things on
the system there are easier ways.
Still, 'shell=True' appears to be completely unnecessary for this
call. Simply omitting the shell parameter here will cause it to
revert to the default behavior, which requires that the command to be
run be specified in a separate parameter than the arguments to the
command. This effectively prevents shell injection vulnerabilities.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1335208/+subscriptions
More information about the Openstack-security
mailing list