Bug 1107528 (CVE-2014-3486) - CVE-2014-3486 CFME: SSH Utility insecure tmp file creation leading to code execution as root
Summary: CVE-2014-3486 CFME: SSH Utility insecure tmp file creation leading to code ex...
Status: CLOSED ERRATA
Alias: CVE-2014-3486
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20140630,repo...
Keywords: Security
Depends On: 1107532 1107533
Blocks: 1086525 1107530
TreeView+ depends on / blocked
 
Reported: 2014-06-10 06:59 UTC by Kurt Seifried
Modified: 2019-06-08 20:04 UTC (History)
14 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-06-30 23:23:18 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0816 normal SHIPPED_LIVE Important: cfme security, bug fix, and enhancement update 2014-06-30 22:59:47 UTC

Description Kurt Seifried 2014-06-10 06:59:18 UTC
Kurt Seifried of Red Hat Product Security reports:

========================================
./lib/util/MiqSshUtilV1.rb
  def shell_exec(cmd, doneStr=nil, shell=@shell)
    if shell
      # Writing to a temp remote script to handle cases where the cmd string is
      #   too long and is truncated.
      temp_remote_script = "/var/tmp/miq-#{Time.now.to_i}.sh"
      self.exec("echo \"#{cmd}\" > #{temp_remote_script}")
      self.exec("chmod 700 #{temp_remote_script}")
      out = shell.send_command(temp_remote_script)
      self.exec("rm -f #{temp_remote_script}")
      @status = out.status
      msg = out.stdout

      # Check if the first output return references the remote script and remove it.
      msgs = msg.split("\n")
      msg = msgs[1..-1].join("\n") if msgs[0].include?(temp_remote_script)

      raise "#{msg}" unless doneStr.nil? || msg.include?(doneStr)
      return msg
    else
      return self.exec(cmd, doneStr)
    end
  end
========================================
./lib/util/MiqSshUtilV2.rb
  def temp_cmd_file(cmd)
    temp_remote_script = "/var/tmp/miq-#{Time.now.to_i}.sh"
    self.exec("echo \"#{cmd}\" > #{temp_remote_script}")
    remote_cmd = "chmod 700 #{temp_remote_script}; #{temp_remote_script}; rm -f #{temp_remote_script}"
    yield(remote_cmd)
  end
========================================
Time.now.to_i = 1412123123
setup a file and a few hundred/thousand symlinks and you can cover an hour easily. 

Between the

self.exec("echo \"#{cmd}\" > #{temp_remote_script}")
self.exec("chmod 700 #{temp_remote_script}")

an attacker can replace the file, which is then executed as root.

It should use Ruby Tempfile:
http://kurt.seifried.org/2012/03/14/creating-temporary-files-securely/

Comment 2 Vincent Danen 2014-06-24 19:52:40 UTC
Acknowledgements:

This issue was discovered by Kurt Seifried of Red Hat Product Security.

Comment 3 errata-xmlrpc 2014-06-30 19:03:25 UTC
This issue has been addressed in following products:

  CloudForms Management Engine 5.x

Via RHSA-2014:0816 https://rhn.redhat.com/errata/RHSA-2014-0816.html


Note You need to log in before you can comment on or make changes to this bug.