Bug 1153470 (CVE-2014-3702)

Summary: CVE-2014-3702 eDeploy: Path traversal in the session parameter
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: grocha, jrusnack, mjc, security-response-team, tdecacqu, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-17 23:27:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1152549    

Description David Jorm 2014-10-16 04:45:40 UTC 
A path traversal flaw was found in eDeploy's session parameter handler. A remote attacker could use this flaw to create arbitrary directories on the server, potentially leading to a denial-of-service.
Comment 1 David Jorm 2014-10-16 04:47:55 UTC 
Acknowledgements:

This issue was discovered by Andrew Griffiths of Red Hat Product Security.
Comment 3 Kurt Seifried 2015-03-17 19:48:23 UTC 
upload.py:

        # If the filename ends with a .log, we need to process it as a log file
[1]     if ('file' in form) and (form['file'].filename.endswith('.log.gz')):
            logitem = form['file']
            logfile = logitem.file
            try:
                # Let's save the file in LOGDIR directory
                log_dir = os.path.normpath(config_get('SERVER', 'LOGDIR', cfg_dir)) + '/'
[2]             filename = os.path.join(log_dir, logitem.filename)
                output_file = open(filename, 'w')
                output_file.write(logfile.read(-1))
                output_file.close()
            except Exception, xcpt:
                # If we fails at saving, let's exit
                fatal_error("exception while saving log file: %s" % str(xcpt))
                sys.exit(1)
            # If the succeed at saving log file, let's also exit
            # In fact we have nothing more to do once its saved.
            log('Log file %s saved' % logitem.filename)
            sys.exit(0)

1 - if the file is specified ending with .log.gz, at [2], we can write an arbitrary file
due to an unsanitized filename like ../../../../../../../var/log/whatever.log.gz if the 
httpd is overly privileged, etc.


upload.py returns python code to be executed on the client:

    sys.stdout.write('''
import commands
import os
import sys

import hpacucli
import ipmi
import time

...


upload-health.py

    if form.getvalue('session'):
        dest_dir = cfg_dir + form.getvalue('session') + '/' + dirname
    else:
        dest_dir = cfg_dir + '/' + dirname

    try:
        if not os.path.isdir(dest_dir):
            os.makedirs(dest_dir)

session = a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z for fast fs directory making attack,

can return arbitrary shell commands to be ran:

    '''Report a shell script with the error message and log
    the message on stderr.'''
    print('''#!/bin/sh

cat <<EOF
%s
EOF

exit 1
''' % error)
Comment 4 Kurt Seifried 2015-03-17 23:27:56 UTC 
This is now filed publicly https://github.com/enovance/edeploy/issues/231
Comment 5 Kurt Seifried 2015-03-19 04:16:53 UTC 
Statement:

Red Hat does not currently ship eNovance edeploy in a product form and as such this issue has been filed upstream.