Univention Bugzilla – Bug 49974
UCR template file definitions executes code appearing in filename
Last modified: 2019-08-07 15:26:57 CEST
Create file /etc/univention/templates/info/foo.info Type: multifile Multifile: etc/; touch /tmp/hacked Variables: foo Type: subfile Multifile: etc/; touch /tmp/hacked Subfile: etc/samba/smb.conf.d/99univention-samba_local_shares Variables: foo Then execute: # ucr commit '/etc/; touch /tmp/hacked' Multifile: /etc/; touch /tmp/hacked /bin/sh: 1: /etc/univention/templates/scripts/etc/: Permission denied → # ls -l /tmp/hacked -rw-r--r-- 1 root root 0 Aug 2 17:00 /tmp/hacked
Patch?!: diff --git a/base/univention-config-registry/python/univention/config_registry/handler.py b/base/univention-config-registry/python/univention/config_registry/handler.py index b2fb7b8ca8..c632dd98ce 100644 --- a/base/univention-config-registry/python/univention/config_registry/handler.py +++ b/base/univention-config-registry/python/univention/config_registry/handler.py @@ -162,8 +162,7 @@ def run_script(script, arg, changes): if value and len(value) > 1 and value[0] and value[1]: diff.append('%s@%%@%s@%%@%s\n' % (key, value[0], value[1])) - cmd = script + " " + arg - proc = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, close_fds=True) + proc = subprocess.Popen([script, arg], stdin=subprocess.PIPE, close_fds=True) proc.communicate(''.join(diff))
(In reply to Florian Best from comment #0) > Create file /etc/univention/templates/info/foo.info You need to be "root" to create that file. As that user you can do anything, no need to go through UCR. > Then execute: And now you have hacked yourself? (In reply to Florian Best from comment #1) > Patch?!: ... > diff --git a/base/univention-config-registry/python/univention/config_registry/handler.py ... > - cmd = script + " " + arg > - proc = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, > close_fds=True) > + proc = subprocess.Popen([script, arg], stdin=subprocess.PIPE, > close_fds=True) Might be an API change. Otherwise looks valid.
(In reply to Philipp Hahn from comment #2) > (In reply to Florian Best from comment #0) > > Create file /etc/univention/templates/info/foo.info > > You need to be "root" to create that file. As that user you can do anything, > no need to go through UCR. > > > Then execute: > > And now you have hacked yourself? Yes. I hacked the code and did something which is not wanted by the code. I didn't flag this bug as security issue. Just as dirty style "Development Internal". If someone external uses univention.config_registry.handler.run_script() it can cause a security issue.
(In reply to Florian Best from comment #3) > (In reply to Philipp Hahn from comment #2) > > (In reply to Florian Best from comment #0) > > > Create file /etc/univention/templates/info/foo.info > > > > You need to be "root" to create that file. As that user you can do anything, > > no need to go through UCR. > > > > > Then execute: > > > > And now you have hacked yourself? > Yes. I hacked the code and did something which is not wanted by the code. The code is using shell=True for a (historic) reason, so that behavior was wanted back than. > If someone external uses univention.config_registry.handler.run_script() it > can cause a security issue. Don't install code from untrusted sources! Or meta-data filed which then call untrusted code.