Bug 968166 - (CVE-2013-2121) CVE-2013-2121 Foreman: app/controllers/bookmarks_controller.rb remote code execution
CVE-2013-2121 Foreman: app/controllers/bookmarks_controller.rb remote code ex...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://projects.theforeman.org/issues...
impact=important,public=20130607,repo...
: Security
Depends On: 968172 968173 969029
Blocks: 966806
  Show dependency treegraph
 
Reported: 2013-05-29 03:08 EDT by Garth Mollett
Modified: 2016-04-26 22:25 EDT (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-20 01:23:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Garth Mollett 2013-05-29 03:08:18 EDT
Ramon de C Valle (rcvalle@redhat.com) reports:

There is a code injection vulnerability in the create method of the
Bookmarks controller. The create method uses the (mass-assigned)
controller attribute of the newly created bookmark in an eval statement
without sanitizing it:

def create
@bookmark = Bookmark.new(params[:bookmark])

respond_to do |format|
if @bookmark.save
format.html { redirect_to(eval(@bookmark.controller+"_path"),
:notice => _('Bookmark was successfully created.')) }
else
format.html { render :action => "new" }
end
end
end

Any user with permissions to create a bookmark can execute arbitrary
code and arbitrary system commands by sending a specially-crafted POST
request. The controller attribute is validated with the regular
expression /\A(\S+)\Z/, which prevents us from using code containing
spaces. However, this can be easily circumvented (see example (a)). The
following are some possible example attacks, including arbitrary command
execution.
Comment 4 Murray McAllister 2013-05-30 18:20:50 EDT
Acknowledgements:

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
Comment 5 Dominic Cleal 2013-06-07 05:48:22 EDT
Upstream tracker: http://projects.theforeman.org/issues/2631

A fix has been committed:
commit ef4b97d177c58c9532730d53dca0517bc869a0ce
Author: Joseph Mitchell Magen <jmagen@redhat.com>
Date:   Mon Jun 3 18:11:32 2013 +0100

    fixes #2631 - fix remote code execution via controller name (CVE-2013-2121)

And cherry-picked to stable branches:
1.2-stable: 2f3839eb9928bd04876c2e1bfe509cd9ed120991
1.1-stable: 8920e796a285201e9e0f6af0220e79d257077d7d

The fix will be packaged as part of Foreman 1.2.0-RC2.

foreman-users announcement: http://groups.google.com/group/foreman-users/browse_thread/thread/e96a4eff7ba08975
Comment 9 Kurt Seifried 2013-06-13 12:05:18 EDT
This issue is public: http://projects.theforeman.org/issues/2631
Comment 10 errata-xmlrpc 2013-06-27 12:45:31 EDT
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0995 https://rhn.redhat.com/errata/RHSA-2013-0995.html

Note You need to log in before you can comment on or make changes to this bug.