990321 – (CVE-2013-4482) CVE-2013-4482 luci: paster hidden untrusted path and "command" (callable association) injection

Bug 990321 (CVE-2013-4482) - CVE-2013-4482 luci: paster hidden untrusted path and "command" (callable association) injection

Summary: CVE-2013-4482 luci: paster hidden untrusted path and "command" (callable asso...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-4482
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1005385
Blocks:	974906 990750
TreeView+	depends on / blocked

Reported:	2013-07-30 21:51 UTC by Jan Pokorný [poki]
Modified:	2023-05-13 00:35 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the way the luci service was initialized. If a system administrator started the luci service from a directory that was writable to by a local user, that user could use this flaw to execute arbitrary code as the root or luci user.
Clone Of:
Environment:
Last Closed:	2013-11-21 14:25:36 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1603	0	normal	SHIPPED_LIVE	Moderate: luci security, bug fix, and enhancement update	2013-11-21 00:39:24 UTC

Comment 12 Tomas Hoger 2013-10-30 12:01:11 UTC

The luci uses python-paste-script / paster to start serving its web application.  paster searches current working directory and parent directories of CWD for python *.egg-info files or directories.  These are used to define additional commands recognized by the paster script, or to add additional paths to sys.path for the started web application.  luci failed to force safe CWD to compensate for this feature of paster.  If system administrator started luci service while in untrusted directory (e.g. in /tmp), a local user with write permission to the directory could use this flaw to execute arbitrary code with root or luci user privileges.

This issue was addressed by changing service init script to change current working directory before starting luci.

Acknowledgements:

This issue was discovered by Jan Pokorný of Red Hat.

Comment 13 Tomas Hoger 2013-11-20 19:01:18 UTC

Lifting embargo.

Comment 14 errata-xmlrpc 2013-11-21 10:33:38 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1603 https://rhn.redhat.com/errata/RHSA-2013-1603.html

Note You need to log in before you can comment on or make changes to this bug.