Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1152545 - (CVE-2014-3700) CVE-2014-3700 eDeploy: Remote code execution due to eval() of untrusted data
CVE-2014-3700 eDeploy: Remote code execution due to eval() of untrusted data
Status: CLOSED UPSTREAM
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150317,repo...
: Security
Depends On:
Blocks: 1152549
  Show dependency treegraph
 
Reported: 2014-10-14 07:44 EDT by David Jorm
Modified: 2015-03-19 00:17 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-17 19:27:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description David Jorm 2014-10-14 07:44:59 EDT 
It was found that multiple code paths in eDeploy would call eval() with unsantized user-supplied input. A remote attacker could exploit this to execute arbitrary code on the eDeploy server.
Comment 1 David Jorm 2014-10-14 07:45:40 EDT 
Acknowledgements:

This issue was discovered by Andrew Griffiths of Red Hat Product Security.
Comment 3 Kurt Seifried 2015-03-17 15:48:17 EDT 
Summary:
  Multiple eval() usages, leading to arbitrary code execution on servers and clients (in mitm type attacks).

  Unsafe directory handling situations, filename handling. Should introduce whitelisting.

Solution:
  Comprehensive security training, with initial targets identified by github commit
  logs :-)  

upload-health.py:        hw_items = eval(hw_file.read(-1))
upload.py:        hw_items = eval(hw_file.read(-1))

hw_file is specified to the cgi script via 

$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py
$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py

respectively. allows arbitrary python code execution

matcher.py:        lst = eval('(' + _list + ')')

need to trace the code flow for _list, but .. probably vuln.
Comment 4 Kurt Seifried 2015-03-17 19:26:29 EDT 
This is now filed publicly https://github.com/enovance/edeploy/issues/233
Comment 5 Kurt Seifried 2015-03-17 19:27:18 EDT 
This is now filed publicly https://github.com/enovance/edeploy/issues/233
Comment 6 Kurt Seifried 2015-03-19 00:17:04 EDT 
Statement:

Red Hat does not currently ship eNovance edeploy in a product form and as such this issue has been filed upstream.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.