Univention Bugzilla – Bug 36123
UMC-Server: crash with invalid request parameters in ACL evaluation
Last modified: 2023-06-19 15:33:51 CEST
The ACLs.__option_match() method is (still) vulnerable for UMC server crashes. The only module which currently defines vulnerable UMC operation sets is UDM as it defines command patterns for every flavor (e.g. cn=udm-users,cn=operations,cn=UMC,$ldap_base). Some tracebacks which might occur then are: umc-command -U test -P univention udm/query -e -o 'None' 30.09.14 13:24:52.418 MAIN ( ERROR ) : Traceback (most recent call last): File "/usr/sbin/univention-management-console-server", line 209, in <module> umc_daemon.do_action() File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action func(self) File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start self.app.run() File "/usr/sbin/univention-management-console-server", line 192, in run notifier.loop() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 284, in loop step() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 271, in step not __sockets[ cond ][ fd ]( sock_obj ): File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 165, in _receive self._handle( state, msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 282, in _handle state.processor.request( msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 281, in request self.handle_request_command( msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 692, in handle_request_command is_allowed = self.acls.is_command_allowed( msg.arguments[ 0 ], options = msg.options, flavor = msg.flavor ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 279, in is_command_allowed self._is_allowed( filter( lambda x: x.fromUser == True, self.acls ), command, hostname, options, flavor ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 255, in _is_allowed opt_match = self.__option_match( rule.options, options ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 200, in __option_match if key.startswith('!') and key in opts: TypeError: argument of type 'NoneType' is not iterable umc-command -U test -P univention udm/query -e -o '["objectType"]' 30.09.14 13:29:18.033 MAIN ( ERROR ) : Traceback (most recent call last): File "/usr/sbin/univention-management-console-server", line 209, in <module> umc_daemon.do_action() File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action func(self) File "/usr/sbin/univention-management-console-server", line 142, in _restart self._start() File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start self.app.run() File "/usr/sbin/univention-management-console-server", line 192, in run notifier.loop() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 284, in loop step() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 271, in step not __sockets[ cond ][ fd ]( sock_obj ): File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 165, in _receive self._handle( state, msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 282, in _handle state.processor.request( msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 281, in request self.handle_request_command( msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 692, in handle_request_command is_allowed = self.acls.is_command_allowed( msg.arguments[ 0 ], options = msg.options, flavor = msg.flavor ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 279, in is_command_allowed self._is_allowed( filter( lambda x: x.fromUser == True, self.acls ), command, hostname, options, flavor ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 255, in _is_allowed opt_match = self.__option_match( rule.options, options ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 206, in __option_match if isinstance( opts[ key ], basestring ): TypeError: list indices must be integers, not str umc-command -U test -P univention udm/query -e -o '{"objectType": None}' 30.09.14 13:30:46.894 MAIN ( ERROR ) : Traceback (most recent call last): File "/usr/sbin/univention-management-console-server", line 209, in <module> umc_daemon.do_action() File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action func(self) File "/usr/sbin/univention-management-console-server", line 142, in _restart self._start() File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start self.app.run() File "/usr/sbin/univention-management-console-server", line 192, in run notifier.loop() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 284, in loop step() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 271, in step not __sockets[ cond ][ fd ]( sock_obj ): File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 165, in _receive self._handle( state, msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 282, in _handle state.processor.request( msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 281, in request self.handle_request_command( msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 692, in handle_request_command is_allowed = self.acls.is_command_allowed( msg.arguments[ 0 ], options = msg.options, flavor = msg.flavor ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 279, in is_command_allowed self._is_allowed( filter( lambda x: x.fromUser == True, self.acls ), command, hostname, options, flavor ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 255, in _is_allowed opt_match = self.__option_match( rule.options, options ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 210, in __option_match for option in options: TypeError: 'NoneType' object is not iterable umc-command -U test -P univention udm/query -e -o '{"objectType": [{}]}' 30.09.14 13:31:59.845 MAIN ( ERROR ) : Traceback (most recent call last): File "/usr/sbin/univention-management-console-server", line 209, in <module> umc_daemon.do_action() File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action func(self) File "/usr/sbin/univention-management-console-server", line 142, in _restart self._start() File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start self.app.run() File "/usr/sbin/univention-management-console-server", line 192, in run notifier.loop() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 284, in loop step() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 271, in step not __sockets[ cond ][ fd ]( sock_obj ): File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 165, in _receive self._handle( state, msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 282, in _handle state.processor.request( msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 281, in request self.handle_request_command( msg ) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/session.py", line 692, in handle_request_command is_allowed = self.acls.is_command_allowed( msg.arguments[ 0 ], options = msg.options, flavor = msg.flavor ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 279, in is_command_allowed self._is_allowed( filter( lambda x: x.fromUser == True, self.acls ), command, hostname, options, flavor ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 255, in _is_allowed opt_match = self.__option_match( rule.options, options ) File "/usr/lib/pymodules/python2.7/univention/management/console/acl.py", line 214, in __option_match elif not option.startswith( value[ : -1 ] ): AttributeError: 'dict' object has no attribute 'startswith'
This will at least not crash the server anymore (with fix in Bug #37366).
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.