Bug 1153470 (CVE-2014-3702) - CVE-2014-3702 eDeploy: Path traversal in the session parameter
Summary: CVE-2014-3702 eDeploy: Path traversal in the session parameter
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2014-3702
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1152549
TreeView+ depends on / blocked
 
Reported: 2014-10-16 04:45 UTC by David Jorm
Modified: 2023-05-12 13:46 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-17 23:27:56 UTC
Embargoed:

Attachments (Terms of Use)

Description David Jorm 2014-10-16 04:45:40 UTC 
A path traversal flaw was found in eDeploy's session parameter handler. A remote attacker could use this flaw to create arbitrary directories on the server, potentially leading to a denial-of-service.
Comment 1 David Jorm 2014-10-16 04:47:55 UTC 
Acknowledgements:

This issue was discovered by Andrew Griffiths of Red Hat Product Security.
Comment 3 Kurt Seifried 2015-03-17 19:48:23 UTC 
upload.py:

        # If the filename ends with a .log, we need to process it as a log file
[1]     if ('file' in form) and (form['file'].filename.endswith('.log.gz')):
            logitem = form['file']
            logfile = logitem.file
            try:
                # Let's save the file in LOGDIR directory
                log_dir = os.path.normpath(config_get('SERVER', 'LOGDIR', cfg_dir)) + '/'
[2]             filename = os.path.join(log_dir, logitem.filename)
                output_file = open(filename, 'w')
                output_file.write(logfile.read(-1))
                output_file.close()
            except Exception, xcpt:
                # If we fails at saving, let's exit
                fatal_error("exception while saving log file: %s" % str(xcpt))
                sys.exit(1)
            # If the succeed at saving log file, let's also exit
            # In fact we have nothing more to do once its saved.
            log('Log file %s saved' % logitem.filename)
            sys.exit(0)

1 - if the file is specified ending with .log.gz, at [2], we can write an arbitrary file
due to an unsanitized filename like ../../../../../../../var/log/whatever.log.gz if the 
httpd is overly privileged, etc.


upload.py returns python code to be executed on the client:

    sys.stdout.write('''
import commands
import os
import sys

import hpacucli
import ipmi
import time

...


upload-health.py

    if form.getvalue('session'):
        dest_dir = cfg_dir + form.getvalue('session') + '/' + dirname
    else:
        dest_dir = cfg_dir + '/' + dirname

    try:
        if not os.path.isdir(dest_dir):
            os.makedirs(dest_dir)

session = a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z for fast fs directory making attack,

can return arbitrary shell commands to be ran:

    '''Report a shell script with the error message and log
    the message on stderr.'''
    print('''#!/bin/sh

cat <<EOF
%s
EOF

exit 1
''' % error)
Comment 4 Kurt Seifried 2015-03-17 23:27:56 UTC 
This is now filed publicly https://github.com/enovance/edeploy/issues/231
Comment 5 Kurt Seifried 2015-03-19 04:16:53 UTC 
Statement:

Red Hat does not currently ship eNovance edeploy in a product form and as such this issue has been filed upstream.
Note You need to log in before you can comment on or make changes to this bug.