Bug 1152545 (CVE-2014-3700)

Summary: CVE-2014-3700 eDeploy: Remote code execution due to eval() of untrusted data
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: grocha, jrusnack, mjc, security-response-team, tdecacqu, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-17 23:27:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1152549    

Description David Jorm 2014-10-14 11:44:59 UTC
It was found that multiple code paths in eDeploy would call eval() with unsantized user-supplied input. A remote attacker could exploit this to execute arbitrary code on the eDeploy server.

Comment 1 David Jorm 2014-10-14 11:45:40 UTC
Acknowledgements:

This issue was discovered by Andrew Griffiths of Red Hat Product Security.

Comment 3 Kurt Seifried 2015-03-17 19:48:17 UTC
Summary:
  Multiple eval() usages, leading to arbitrary code execution on servers and clients (in mitm type attacks).

  Unsafe directory handling situations, filename handling. Should introduce whitelisting.

Solution:
  Comprehensive security training, with initial targets identified by github commit
  logs :-)  

upload-health.py:        hw_items = eval(hw_file.read(-1))
upload.py:        hw_items = eval(hw_file.read(-1))

hw_file is specified to the cgi script via 

$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py
$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py

respectively. allows arbitrary python code execution

matcher.py:        lst = eval('(' + _list + ')')

need to trace the code flow for _list, but .. probably vuln.

Comment 4 Kurt Seifried 2015-03-17 23:26:29 UTC
This is now filed publicly https://github.com/enovance/edeploy/issues/233

Comment 5 Kurt Seifried 2015-03-17 23:27:18 UTC
This is now filed publicly https://github.com/enovance/edeploy/issues/233

Comment 6 Kurt Seifried 2015-03-19 04:17:04 UTC
Statement:

Red Hat does not currently ship eNovance edeploy in a product form and as such this issue has been filed upstream.