[Bug 472752] New: Security issue in scr.execute

https://bugzilla.novell.com/show_bug.cgi?id=472752 Summary: Security issue in scr.execute Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: mvidner@novell.com ReportedBy: schubi@novell.com QAContact: jsrain@novell.com CC: lnussel@novell.com Found By: --- scr.execute (target.bash*) uses a string for the command with which all binaries and argument are defined. That's fine if it runs under the user "root". Since SCR is also available via DBUS we have to take care much more concerning the given arguments. I have talked with the security team (Ludwig :-)) and we have come to the conclusion that we need another scr.execute call which process an array of argument instead of a string. So this scr.execute could use the system call which uses a array of arguments too. Currently I am using scr.execute in this way: def Scr.execute (argument, environment=[] ) command = "LANG=en.UTF-8" environment.each do |env| command += " #{env}" end command += " /usr/lib/YaST2/bin/tty_wrapper " argument.each do |arg| command += " #{arg}" end command += " </dev/null" system_bus = DBus::SystemBus.instance # Get the yast service yast = system_bus.service("org.opensuse.yast.SCR") # Get the object from this service objYast = yast.object("/SCR") poiSCR = DBus::ProxyObjectInterface.new(objYast, "org.opensuse.yast.SCR.Methods") poiSCR.define_method("Execute", "in path:(bsv), in arg:(bsv), in opt:(bsv), out ret:(bsv)") ret = poiSCR.Execute([false, "path", ["s",".target.bash_output"] ], [false, "", ["s",command] ], [false, "", ["s",""] ]) STDERR.puts " SCRExecute (" + command + ") => " + if ret[0][2]["exit"][2] == 1 then "1"; else "0"; end return { :stdout => ret[0][2]["stdout"][2], :stderr => ret[0][2]["stderr"][2], :exit => ret[0][2]["exit"][2]} end Martin would this be possible ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=472752 User schubi@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472752#c1 --- Comment #1 from Stefan Schubert <schubi@novell.com> 2009-02-05 01:36:29 MST --- This problem does exists in YaST-Webservice ONLY and does NOT CONCERN the rest of the system. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=472752 User mvidner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472752#c2 Martin Vidner <mvidner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Security issue in |Security issue in |scr.execute |scr.execute (.target.bash*) --- Comment #2 from Martin Vidner <mvidner@novell.com> 2009-02-05 02:20:00 MST --- I was alarmed about the whole SCR::Execute, but this is just about .target.bash and its variants. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=472752 User mvidner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472752#c3 --- Comment #3 from Martin Vidner <mvidner@novell.com> 2009-02-05 02:44:24 MST --- this Scr.execute is used by yast2-webservice for calling YaST CLI APIs like yast2 user add name="foo" where foo comes from the user and that can be foo; rm * (BTW what would be the REST call resulting in the above CLI?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=472752 User mvidner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472752#c4 --- Comment #4 from Martin Vidner <mvidner@novell.com> 2009-02-05 03:02:43 MST --- A related complication is that the generic CLI API needs to parse option="val" arguments. We could have similar problems with that, but let's track it in a new bug if needed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=472752 User schubi@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472752#c5 --- Comment #5 from Stefan Schubert <schubi@novell.com> 2009-02-05 08:05:54 MST --- Meanwhile I have added argument checks in the webservice. That is not perfect, but prevents us from corrupted input: +def Scr.execute (arguments, environment=[] ) + + #sanitize arguments + whitelist = ("a".."z").to_a.to_s + ("A".."Z").to_a.to_s + ("0".."9").to_a.to_s + "_-/=:.,\"<>" + arguments.each do |arg| + wrongArguments = false + for i in (0..arg.size-1) do + if whitelist.index(arg[i]) == nil + wrongArguments = true + break + end + end + if wrongArguments + return { :stdout =>"", :stderr => "#{arg}: only a..z A..Z 0..9,_-/=.:<> are allowed", :exit => 2} + end + end + + #note environment array will not be set by the user. So no check is needed. + -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=472752 User schubi@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472752#c6 --- Comment #6 from Stefan Schubert <schubi@novell.com> 2009-02-05 08:07:01 MST --- Ähm, that is a workaround only which is not very nice and not 100 percent save. :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com