Bug 1203352 (CVE-2015-1815)

Summary: CVE-2015-1815 setroubleshoot: command injection via crafted file name
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, security-response-team, ssekidde
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that setroubleshoot did not sanitize file names supplied in a shell command look-up for RPMs associated with access violation reports. An attacker could use this flaw to escalate their privileges on the system by supplying a specially crafted file to the underlying shell command.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-26 19:25:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1203973, 1203974, 1203975, 1203976, 1203977, 1206050    
Bug Blocks: 1203354    
Attachments:
Description Flags
don't use unsecure commands.getstatusoutput in for getting rpm nvr
none
fix get_rpm_nvr_*_temporary functions none

Description Martin Prpič 2015-03-18 16:32:09 UTC
It was found that setroubleshoot did not sanitize file names supplied in a shell command look-up for RPMs associated with access violation reports. An attacker could use this flaw to escalate their privileges on the system by supplying a specially crafted file to the underlying shell command.

The vulnerable code in util.py:

266 def get_rpm_nvr_by_file_path_temporary(name):
267     if name is None or not os.path.exists(name):
268         return None
269 
270     nvr = None
271     try:
272         import commands
273         rc, output = commands.getstatusoutput("rpm -qf '%s'" % name)
274         if rc == 0:
275             nvr = output
276     except:
277         syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" %     name)
278     return nvr

Acknowledgements:

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for
reporting this issue.

Comment 4 Petr Lautrbach 2015-03-19 10:59:12 UTC
Created attachment 1003803 [details]
don't use unsecure commands.getstatusoutput in for getting rpm nvr

subprocess module methods doesn't use shell by default.

Comment 12 Petr Lautrbach 2015-03-20 10:46:57 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #10)
> This looks insufficient.  What if a filename is e.g. "-a"?
> 
> BTW, at least my copy of RPM doesn't appear to support "--" to stop
> sub-option parsing.
> 
> In general, this design feels very fragile.  I'd disable the feature.

Thinking more about this I'd use the proposed patch:

- You should not be able to run arbitrary code using only an argument of rpm command. 
- When you have "-a" file, rpm command will get "/tmp/-a" as an argument, not "-a" directly

Comment 13 Petr Lautrbach 2015-03-20 15:56:29 UTC
Created attachment 1004551 [details]
fix get_rpm_nvr_*_temporary functions

- use subprocess.check_output() instead of commands.getstatusoutput()
- use os.path.abspath() to get a normalized absolutized version of the name.

Comment 16 Huzaifa S. Sidhpurwala 2015-03-26 08:06:04 UTC
Public via:

http://www.openwall.com/lists/oss-security/2015/03/26/1

Comment 17 Huzaifa S. Sidhpurwala 2015-03-26 08:12:31 UTC
Created setroubleshoot tracking bugs for this issue:

Affects: fedora-all [bug 1206050]

Comment 18 Tomas Hoger 2015-03-26 12:00:02 UTC
Write-up and public exploit from the reporter:

https://github.com/stealth/troubleshooter

Comment 19 errata-xmlrpc 2015-03-26 13:56:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5

Via RHSA-2015:0729 https://rhn.redhat.com/errata/RHSA-2015-0729.html

Comment 20 Fedora Update System 2015-03-31 21:59:02 UTC
setroubleshoot-3.2.22-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2015-04-08 06:55:58 UTC
setroubleshoot-3.2.17-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2015-04-08 06:58:48 UTC
setroubleshoot-3.2.22-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.