[Openstack] [OSSN 0026] Unrestricted write permission to config files can allow code execution
Nathan Kinder
nkinder at redhat.com
Fri Sep 5 20:16:54 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Unrestricted write permission to config files can allow code execution
- ---
### Summary ###
In numerous places throughout OpenStack projects, variables are read
directly from configuration files and used to construct statements
which are executed with the privileges of the OpenStack service. Since
configuration files are trusted, the input is not checked or sanitized.
If a malicious user is able to write to these files, they may be able
to execute arbitrary code as the OpenStack service.
### Affected Services / Software ###
Nova / All versions, Trove / Juno, possibly others
### Discussion ###
Some OpenStack services rely on operating system commands to perform
certain actions. In some cases these commands are created by appending
input from configuration files to a specified command, and passing the
complete command directly to the operating system shell to execute.
For example:
- --- begin example example.py snippet ---
command='ls -al ' + config.DIRECTORY
subprocess.Popen(command, shell=True)
- --- end example example.py snippet ---
In this case, if config.DIRECTORY is set to something benign like
'/opt' the code behaves as expected. If, on the other hand, an
attacker is able to set config.DIRECTORY to something malicious such as
'/opt ; rm -rf /etc', the shell will execute both 'ls -al /opt' and 'rm
- -rf /etc'. When called with shell=True, the shell will blindly execute
anything passed to it. Code with the potential for shell injection
vulnerabilities has been identified in the above mentioned services and
versions, but vulnerabilities are possible in other services as well.
Please see the links at the bottom for a couple of examples in Nova and
Trove.
### Recommended Actions ###
Ensure permissions for configuration files across all OpenStack
services are set so that only the owner user can read/write to them.
In cases where other processes or users may have write access to
configuration files, ensure that all settings are sanitized and
validated.
Additionally the principle of least privilege should always be observed
- - files should be protected with the most restrictive permissions
possible. Other serious security issues, such as the exposure of
plaintext credentials, can result from permissions which allow
malicious users to view sensitive data (read access).
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0026
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1343657
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
Shell Injection:
https://docs.python.org/2/library/subprocess.html#frequently-used-arguments
Additional LaunchPad Bugs:
https://bugs.launchpad.net/trove/+bug/1349939
https://bugs.launchpad.net/nova/+bug/1192971
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUCho2AAoJEJa+6E7Ri+EV08kH/3bD6R+o63JRin04rVjYcxZD
cerwxS5BPhQ8TgFcWXnzqSrMyru0VlutzmZ3xEn7Zc4x5IdWeWPPDIrgAlnmxAYv
//JS6wSazRDEu5fJvMe6vLKaJ0q5oN7ANqZGpYIKSDQh/M4jaQ85YK+jGH4g5ywk
QJl7GfBX1IQ6V9mOFu/Jm52CmQKWwNnhpSvlhhWZjS3P6CErMMSbIsg6Ec94Kvb3
5Qb2GRMbBYmscxtHU55qRgd2YILF9Jt0SwENE36Y/qdJDYgSU73kIaAuzwUfwUhq
TKc9cnT9gUZiA+UfYfAWgOxC+cyl5HSZe9FqFSnydgFXbXj/RNJ9rb+4yLrnCRM=
=je33
-----END PGP SIGNATURE-----
More information about the Openstack
mailing list