Bug 990321 - (CVE-2013-4482) CVE-2013-4482 luci: paster hidden untrusted path and "command" (callable association) injection
CVE-2013-4482 luci: paster hidden untrusted path and "command" (callable asso...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131120,repor...
: Security
Depends On: 1005385
Blocks: 974906 990750
  Show dependency treegraph
 
Reported: 2013-07-30 17:51 EDT by Jan Pokorný
Modified: 2014-12-10 09:09 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the luci service was initialized. If a system administrator started the luci service from a directory that was writable to by a local user, that user could use this flaw to execute arbitrary code as the root or luci user.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 09:25:36 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 12 Tomas Hoger 2013-10-30 08:01:11 EDT
The luci uses python-paste-script / paster to start serving its web application.  paster searches current working directory and parent directories of CWD for python *.egg-info files or directories.  These are used to define additional commands recognized by the paster script, or to add additional paths to sys.path for the started web application.  luci failed to force safe CWD to compensate for this feature of paster.  If system administrator started luci service while in untrusted directory (e.g. in /tmp), a local user with write permission to the directory could use this flaw to execute arbitrary code with root or luci user privileges.

This issue was addressed by changing service init script to change current working directory before starting luci.

Acknowledgements:

This issue was discovered by Jan Pokorný of Red Hat.
Comment 13 Tomas Hoger 2013-11-20 14:01:18 EST
Lifting embargo.
Comment 14 errata-xmlrpc 2013-11-21 05:33:38 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1603 https://rhn.redhat.com/errata/RHSA-2013-1603.html

Note You need to log in before you can comment on or make changes to this bug.