Bug 1152545 (CVE-2014-3700) - CVE-2014-3700 eDeploy: Remote code execution due to eval() of untrusted data
Summary: CVE-2014-3700 eDeploy: Remote code execution due to eval() of untrusted data
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2014-3700
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1152549
TreeView+ depends on / blocked
 
Reported: 2014-10-14 11:44 UTC by David Jorm
Modified: 2019-09-29 13:23 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-17 23:27:18 UTC


Attachments (Terms of Use)

Description David Jorm 2014-10-14 11:44:59 UTC
It was found that multiple code paths in eDeploy would call eval() with unsantized user-supplied input. A remote attacker could exploit this to execute arbitrary code on the eDeploy server.

Comment 1 David Jorm 2014-10-14 11:45:40 UTC
Acknowledgements:

This issue was discovered by Andrew Griffiths of Red Hat Product Security.

Comment 3 Kurt Seifried 2015-03-17 19:48:17 UTC
Summary:
  Multiple eval() usages, leading to arbitrary code execution on servers and clients (in mitm type attacks).

  Unsafe directory handling situations, filename handling. Should introduce whitelisting.

Solution:
  Comprehensive security training, with initial targets identified by github commit
  logs :-)  

upload-health.py:        hw_items = eval(hw_file.read(-1))
upload.py:        hw_items = eval(hw_file.read(-1))

hw_file is specified to the cgi script via 

$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py
$ curl -i -F name=test -F file=@/tmp/hw.lst http://localhost/cgi-bin/upload.py

respectively. allows arbitrary python code execution

matcher.py:        lst = eval('(' + _list + ')')

need to trace the code flow for _list, but .. probably vuln.

Comment 4 Kurt Seifried 2015-03-17 23:26:29 UTC
This is now filed publicly https://github.com/enovance/edeploy/issues/233

Comment 5 Kurt Seifried 2015-03-17 23:27:18 UTC
This is now filed publicly https://github.com/enovance/edeploy/issues/233

Comment 6 Kurt Seifried 2015-03-19 04:17:04 UTC
Statement:

Red Hat does not currently ship eNovance edeploy in a product form and as such this issue has been filed upstream.


Note You need to log in before you can comment on or make changes to this bug.