|Summary:||CVE-2015-1815 setroubleshoot: command injection via crafted file name|
|Product:||[Other] Security Response||Reporter:||Martin Prpič <mprpic>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||lvrabec, mgrepl, mmalik, plautrba, pvrabec, security-response-team, ssekidde|
|Fixed In Version:||Doc Type:||Bug Fix|
It was found that setroubleshoot did not sanitize file names supplied in a shell command look-up for RPMs associated with access violation reports. An attacker could use this flaw to escalate their privileges on the system by supplying a specially crafted file to the underlying shell command.
|Last Closed:||2015-03-26 19:25:28 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1203973, 1203974, 1203975, 1203976, 1203977, 1206050|
Description Martin Prpič 2015-03-18 16:32:09 UTC
It was found that setroubleshoot did not sanitize file names supplied in a shell command look-up for RPMs associated with access violation reports. An attacker could use this flaw to escalate their privileges on the system by supplying a specially crafted file to the underlying shell command. The vulnerable code in util.py: 266 def get_rpm_nvr_by_file_path_temporary(name): 267 if name is None or not os.path.exists(name): 268 return None 269 270 nvr = None 271 try: 272 import commands 273 rc, output = commands.getstatusoutput("rpm -qf '%s'" % name) 274 if rc == 0: 275 nvr = output 276 except: 277 syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" % name) 278 return nvr Acknowledgements: Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.
Comment 4 Petr Lautrbach 2015-03-19 10:59:12 UTC
Created attachment 1003803 [details] don't use unsecure commands.getstatusoutput in for getting rpm nvr subprocess module methods doesn't use shell by default.
Comment 12 Petr Lautrbach 2015-03-20 10:46:57 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #10) > This looks insufficient. What if a filename is e.g. "-a"? > > BTW, at least my copy of RPM doesn't appear to support "--" to stop > sub-option parsing. > > In general, this design feels very fragile. I'd disable the feature. Thinking more about this I'd use the proposed patch: - You should not be able to run arbitrary code using only an argument of rpm command. - When you have "-a" file, rpm command will get "/tmp/-a" as an argument, not "-a" directly
Comment 13 Petr Lautrbach 2015-03-20 15:56:29 UTC
Created attachment 1004551 [details] fix get_rpm_nvr_*_temporary functions - use subprocess.check_output() instead of commands.getstatusoutput() - use os.path.abspath() to get a normalized absolutized version of the name.
Comment 16 Huzaifa S. Sidhpurwala 2015-03-26 08:06:04 UTC
Comment 17 Huzaifa S. Sidhpurwala 2015-03-26 08:12:31 UTC
Created setroubleshoot tracking bugs for this issue: Affects: fedora-all [bug 1206050]
Comment 18 Tomas Hoger 2015-03-26 12:00:02 UTC
Write-up and public exploit from the reporter: https://github.com/stealth/troubleshooter
Comment 19 errata-xmlrpc 2015-03-26 13:56:51 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Via RHSA-2015:0729 https://rhn.redhat.com/errata/RHSA-2015-0729.html
Comment 20 Fedora Update System 2015-03-31 21:59:02 UTC
setroubleshoot-3.2.22-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2015-04-08 06:55:58 UTC
setroubleshoot-3.2.17-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2015-04-08 06:58:48 UTC
setroubleshoot-3.2.22-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.