Bug 968166 (CVE-2013-2121)

Summary: CVE-2013-2121 Foreman: app/controllers/bookmarks_controller.rb remote code execution
Product: [Other] Security Response Reporter: Garth Mollett <gmollett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aortega, apevec, athomas, ayoung, bkearney, chrisw, cpelland, dcleal, gsutclif, iheim, jmagen, jrusnack, kseifried, markmc, mmccune, ohadlevy, rbryant, sclewis, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://projects.theforeman.org/issues/2631
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-20 05:23:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 968172, 968173, 969029    
Bug Blocks: 966806    

Description Garth Mollett 2013-05-29 07:08:18 UTC 
Ramon de C Valle (rcvalle@redhat.com) reports:

There is a code injection vulnerability in the create method of the
Bookmarks controller. The create method uses the (mass-assigned)
controller attribute of the newly created bookmark in an eval statement
without sanitizing it:

def create
@bookmark = Bookmark.new(params[:bookmark])

respond_to do |format|
if @bookmark.save
format.html { redirect_to(eval(@bookmark.controller+"_path"),
:notice => _('Bookmark was successfully created.')) }
else
format.html { render :action => "new" }
end
end
end

Any user with permissions to create a bookmark can execute arbitrary
code and arbitrary system commands by sending a specially-crafted POST
request. The controller attribute is validated with the regular
expression /\A(\S+)\Z/, which prevents us from using code containing
spaces. However, this can be easily circumvented (see example (a)). The
following are some possible example attacks, including arbitrary command
execution.
Comment 4 Murray McAllister 2013-05-30 22:20:50 UTC 
Acknowledgements:

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
Comment 5 Dominic Cleal 2013-06-07 09:48:22 UTC 
Upstream tracker: http://projects.theforeman.org/issues/2631

A fix has been committed:
commit ef4b97d177c58c9532730d53dca0517bc869a0ce
Author: Joseph Mitchell Magen <jmagen@redhat.com>
Date:   Mon Jun 3 18:11:32 2013 +0100

    fixes #2631 - fix remote code execution via controller name (CVE-2013-2121)

And cherry-picked to stable branches:
1.2-stable: 2f3839eb9928bd04876c2e1bfe509cd9ed120991
1.1-stable: 8920e796a285201e9e0f6af0220e79d257077d7d

The fix will be packaged as part of Foreman 1.2.0-RC2.

foreman-users announcement: http://groups.google.com/group/foreman-users/browse_thread/thread/e96a4eff7ba08975
Comment 9 Kurt Seifried 2013-06-13 16:05:18 UTC 
This issue is public: http://projects.theforeman.org/issues/2631
Comment 10 errata-xmlrpc 2013-06-27 16:45:31 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0995 https://rhn.redhat.com/errata/RHSA-2013-0995.html