Bug 1203352 – CVE-2015-1815 setroubleshoot: command injection via crafted file name

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1203352 - (CVE-2015-1815) CVE-2015-1815 setroubleshoot: command injection via crafted file name

Summary:	CVE-2015-1815 setroubleshoot: command injection via crafted file name

Status:	CLOSED ERRATA

Aliases:	CVE-2015-1815

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20150326,repo...
Keywords:	Security

Depends On:	1203973 1203974 1203975 1203976 1203977 1206050
Blocks:	1203354
	Show dependency tree / graph

Reported:	2015-03-18 12:32 EDT by Martin Prpič
Modified:	2015-04-08 02:58 EDT (History)
CC List:	7 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that setroubleshoot did not sanitize file names supplied in a shell command look-up for RPMs associated with access violation reports. An attacker could use this flaw to escalate their privileges on the system by supplying a specially crafted file to the underlying shell command.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-03-26 15:25:28 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
don't use unsecure commands.getstatusoutput in for getting rpm nvr (1.08 KB, patch) 2015-03-19 06:59 EDT, Petr Lautrbach	no flags	Details \| Diff
*fix get_rpm_nvr__temporary functions** (1.11 KB, patch) 2015-03-20 11:56 EDT, Petr Lautrbach	no flags	Details \| Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0729	normal	SHIPPED_LIVE	Important: setroubleshoot security update	2015-03-26 13:56:42 EDT

Groups: None (edit)

Description Martin Prpič 2015-03-18 12:32:09 EDT

It was found that setroubleshoot did not sanitize file names supplied in a shell command look-up for RPMs associated with access violation reports. An attacker could use this flaw to escalate their privileges on the system by supplying a specially crafted file to the underlying shell command.

The vulnerable code in util.py:

266 def get_rpm_nvr_by_file_path_temporary(name):
267     if name is None or not os.path.exists(name):
268         return None
269 
270     nvr = None
271     try:
272         import commands
273         rc, output = commands.getstatusoutput("rpm -qf '%s'" % name)
274         if rc == 0:
275             nvr = output
276     except:
277         syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" %     name)
278     return nvr

Acknowledgements:

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for
reporting this issue.

Comment 4 Petr Lautrbach 2015-03-19 06:59:12 EDT

Created attachment 1003803 [details]
don't use unsecure commands.getstatusoutput in for getting rpm nvr

subprocess module methods doesn't use shell by default.

Comment 12 Petr Lautrbach 2015-03-20 06:46:57 EDT

(In reply to Huzaifa S. Sidhpurwala from comment #10)
> This looks insufficient.  What if a filename is e.g. "-a"?
> 
> BTW, at least my copy of RPM doesn't appear to support "--" to stop
> sub-option parsing.
> 
> In general, this design feels very fragile.  I'd disable the feature.

Thinking more about this I'd use the proposed patch:

- You should not be able to run arbitrary code using only an argument of rpm command. 
- When you have "-a" file, rpm command will get "/tmp/-a" as an argument, not "-a" directly

Comment 13 Petr Lautrbach 2015-03-20 11:56:29 EDT

Created attachment 1004551 [details]
fix get_rpm_nvr_*_temporary functions

- use subprocess.check_output() instead of commands.getstatusoutput()
- use os.path.abspath() to get a normalized absolutized version of the name.

Comment 16 Huzaifa S. Sidhpurwala 2015-03-26 04:06:04 EDT

Public via:

http://www.openwall.com/lists/oss-security/2015/03/26/1

Comment 17 Huzaifa S. Sidhpurwala 2015-03-26 04:12:31 EDT

Created setroubleshoot tracking bugs for this issue:

Affects: fedora-all [bug 1206050]

Comment 18 Tomas Hoger 2015-03-26 08:00:02 EDT

Write-up and public exploit from the reporter:

https://github.com/stealth/troubleshooter

Comment 19 errata-xmlrpc 2015-03-26 09:56:51 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5

Via RHSA-2015:0729 https://rhn.redhat.com/errata/RHSA-2015-0729.html

Comment 20 Fedora Update System 2015-03-31 17:59:02 EDT

setroubleshoot-3.2.22-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2015-04-08 02:55:58 EDT

setroubleshoot-3.2.17-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2015-04-08 02:58:48 EDT

setroubleshoot-3.2.22-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.