Bug 1152545 (CVE-2014-3700)

Summary: CVE-2014-3700 eDeploy: Remote code execution due to eval() of untrusted data
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: grocha, jrusnack, mjc, security-response-team, tdecacqu, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-17 23:27:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1152549    

Description David Jorm 2014-10-14 11:44:59 UTC
It was found that multiple code paths in eDeploy would call eval() with unsantized user-supplied input. A remote attacker could exploit this to execute arbitrary code on the eDeploy server.

Comment 1 David Jorm 2014-10-14 11:45:40 UTC

This issue was discovered by Andrew Griffiths of Red Hat Product Security.

Comment 3 Kurt Seifried 2015-03-17 19:48:17 UTC
  Multiple eval() usages, leading to arbitrary code execution on servers and clients (in mitm type attacks).

  Unsafe directory handling situations, filename handling. Should introduce whitelisting.

  Comprehensive security training, with initial targets identified by github commit
  logs :-)  

upload-health.py:        hw_items = eval(hw_file.read(-1))
upload.py:        hw_items = eval(hw_file.read(-1))

hw_file is specified to the cgi script via 

$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py
$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py

respectively. allows arbitrary python code execution

matcher.py:        lst = eval('(' + _list + ')')

need to trace the code flow for _list, but .. probably vuln.

Comment 4 Kurt Seifried 2015-03-17 23:26:29 UTC
This is now filed publicly https://github.com/enovance/edeploy/issues/233

Comment 5 Kurt Seifried 2015-03-17 23:27:18 UTC
This is now filed publicly https://github.com/enovance/edeploy/issues/233

Comment 6 Kurt Seifried 2015-03-19 04:17:04 UTC

Red Hat does not currently ship eNovance edeploy in a product form and as such this issue has been filed upstream.