Jeremy Choi of Red Hat reports: OpenShift Origin does not properly validated 'Source-Url' of cartridge manifest files to create applications and so commands injected like below in it will be executed in the node. Source-Url: http://name-app.example.com/test/test;reboot;.tar.gz Attacks can also succeed when the source-URL ends with .zip, .tgz and .tar. The file specified in Source-Url must be available from the URL for the successful attack. In cartridge_repository.rb: 498 temporary = PathUtils.join(File.dirname(target), File.basename(cartridge.source_url)) (deleted for brevity) 519 when uri.scheme =~ /^https*/ && cartridge.source_url =~ /(\.tar\.gz|\.tgz)$/ 520 begin 521 uri_copy(URI(cartridge.source_url), temporary, cartridge.source_md5) 522 extract(:tgz, temporary, target) 523 ensure 524 FileUtils.rm(temporary) 525 end (deleted for brevity) 617 def self.extract(method, source, target) 618 case method 622 when :tgz 623 Utils.oo_spawn("/bin/tar -C #{target} -zxpf #{source}", 624 expected_exitstatus: 0) The system command execution in line 623 will run #{source} which is comprised of cartridge.source_url. While the source url is validated in manifest.rb, still ';' can be injected. 370 if @manifest.has_key?('Source-Url') 371 raise InvalidElementError.new('Source-Url') unless @manifest['Source-Url'] =~ URI::ABS_URI 372 @source_url = @manifest['Source-Url'] The PoC below has been shown in Online devenv_4873 1. Create a devenv. 2. Place a malformed manifest file with Source-Url modified in a host the devenv can access. Source-Url: http://<host>/test;reboot;.tar.gz 3. Create "test;reboot;.tar.gz" at the path of Source-Url in the host. 4. Try to create a cartridge with the malformed manifest. $ rhc app create app1 http://<host>/manifest.yml --no-git The devenv will reboot.
While fixing this, lets stop doing this download as root.
This has now leaked publicly: https://github.com/openshift/origin-server/pull/5521
A single quoted argument around the source URL argument should also have been sufficient to prevent this (' and " are escaped in valid URLs)
Upgraded to critical due to authentication requirements, although auth is required a common use case is to give out free testing accounts or other easily created accounts.
Acknowledgements: This issue was discovered by Jeremy Choi of the Red Hat HSS Pen-test Team.
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 1.2 Via RHSA-2014:0762 https://rhn.redhat.com/errata/RHSA-2014-0762.html
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 2.1 Via RHSA-2014:0764 https://rhn.redhat.com/errata/RHSA-2014-0764.html
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 2.0 Via RHSA-2014:0763 https://rhn.redhat.com/errata/RHSA-2014-0763.html