First Last Prev Next    This bug is not in your last search results.
Bug 36123 - UMC-Server: crash with invalid request parameters in ACL evaluation
UMC-Server: crash with invalid request parameters in ACL evaluation
Status: REOPENED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 4.0-x
Assigned To: UMC maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-10 11:57 CEST by Florian Best
Modified: 2023-06-19 15:33 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Error handling
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2014-10-10 11:57:01 CEST 
The ACLs.__option_match() method is (still) vulnerable for UMC server crashes.
The only module which currently defines vulnerable UMC operation sets is UDM as it defines command patterns for every flavor (e.g. cn=udm-users,cn=operations,cn=UMC,$ldap_base).

Some tracebacks which might occur then are:
umc-command -U test -P univention udm/query -e -o 'None'
30.09.14 13:24:52.418  MAIN        ( ERROR   ) : Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 209, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 192, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 271, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 165, in _receive
    self._handle( state, msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 282, in _handle
    state.processor.request( msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 281, in request
    self.handle_request_command( msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 692, in handle_request_command
    is_allowed = self.acls.is_command_allowed( msg.arguments[ 0 ], options = msg.options, flavor = msg.flavor )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 279, in is_command_allowed
    self._is_allowed( filter( lambda x: x.fromUser == True, self.acls ), command, hostname, options, flavor )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 255, in _is_allowed
    opt_match = self.__option_match( rule.options, options )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 200, in __option_match
    if key.startswith('!') and key in opts:
TypeError: argument of type 'NoneType' is not iterable

umc-command -U test -P univention udm/query -e -o '["objectType"]'
30.09.14 13:29:18.033  MAIN        ( ERROR   ) : Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 209, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/sbin/univention-management-console-server", line 142, in _restart
    self._start()
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 192, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 271, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 165, in _receive
    self._handle( state, msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 282, in _handle
    state.processor.request( msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 281, in request
    self.handle_request_command( msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 692, in handle_request_command
    is_allowed = self.acls.is_command_allowed( msg.arguments[ 0 ], options = msg.options, flavor = msg.flavor )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 279, in is_command_allowed
    self._is_allowed( filter( lambda x: x.fromUser == True, self.acls ), command, hostname, options, flavor )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 255, in _is_allowed
    opt_match = self.__option_match( rule.options, options )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 206, in __option_match
    if isinstance( opts[ key ], basestring ):
TypeError: list indices must be integers, not str

umc-command -U test -P univention udm/query -e -o '{"objectType": None}'
30.09.14 13:30:46.894  MAIN        ( ERROR   ) : Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 209, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/sbin/univention-management-console-server", line 142, in _restart
    self._start()
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 192, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 271, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 165, in _receive
    self._handle( state, msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 282, in _handle
    state.processor.request( msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 281, in request
    self.handle_request_command( msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 692, in handle_request_command
    is_allowed = self.acls.is_command_allowed( msg.arguments[ 0 ], options = msg.options, flavor = msg.flavor )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 279, in is_command_allowed
    self._is_allowed( filter( lambda x: x.fromUser == True, self.acls ), command, hostname, options, flavor )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 255, in _is_allowed
    opt_match = self.__option_match( rule.options, options )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 210, in __option_match
    for option in options:
TypeError: 'NoneType' object is not iterable

umc-command -U test -P univention udm/query -e -o '{"objectType": [{}]}'
30.09.14 13:31:59.845  MAIN        ( ERROR   ) : Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 209, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/sbin/univention-management-console-server", line 142, in _restart
    self._start()
  File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 192, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 271, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 165, in _receive
    self._handle( state, msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 282, in _handle
    state.processor.request( msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 281, in request
    self.handle_request_command( msg )
  File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 692, in handle_request_command
    is_allowed = self.acls.is_command_allowed( msg.arguments[ 0 ], options = msg.options, flavor = msg.flavor )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 279, in is_command_allowed
    self._is_allowed( filter( lambda x: x.fromUser == True, self.acls ), command, hostname, options, flavor )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 255, in _is_allowed
    opt_match = self.__option_match( rule.options, options )
  File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 214, in __option_match
    elif not option.startswith( value[ : -1 ] ):
AttributeError: 'dict' object has no attribute 'startswith'
Comment 1 Florian Best univentionstaff 2015-05-12 16:59:05 CEST 
This will at least not crash the server anymore (with fix in Bug #37366).
Comment 2 Stefan Gohmann univentionstaff 2019-01-03 07:18:21 CET 
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.

Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
First Last Prev Next    This bug is not in your last search results.