Univention Bugzilla – Bug 51672
Remove univention-updater backdoor (code execution exploit)
Last modified: 2020-07-29 16:50:29 CEST
Each time a Administrator logs into UMC the maintenance information are fetched, to check if the system is still in maintenance: base/univention-updater/umc/python/updater/__init__.py: 237 » def _maintenance_information(self): … 243 » » » url = 'https://updates.software-univention.de/download/ucs-maintenance/{}.yaml'.format(version) 244 » » » response = requests.get(url, timeout=10) 245 » » » if not response.ok: 246 » » » » response.raise_for_status() 247 » » » status = yaml.load(response.content) As yaml.load() executes arbitrary python code, this is a backdoor for root code execution: E.g: python -c 'import yaml; yaml.load("!!python/object/new:os.system [echo EXPLOIT!]")'
Introduced in Bug #43026 git:ed67b2c9671e0b0b6e095b4878e350f4f17ab83f.
[4.4-5] faa060bb38 Bug #51672: univention-updater 14.0.2-15 base/univention-updater/debian/changelog | 6 ++++++ base/univention-updater/umc/python/updater/__init__.py | 2 +- doc/errata/staging/univention-updater.yaml | 13 +++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) Package: univention-updater Version: 14.0.2-15A~4.4.0.202007230944 Branch: ucs_4.4-0 Scope: errata4.4-5 [4.4-5] 45d6b34437 Bug #51672: univention-updater 14.0.2-15A~4.4.0.202007230944 doc/errata/staging/univention-updater.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) QA: python -c "import requests,yaml;version='4.4-5';url='https://updates.software-univention.de/download/ucs-maintenance/{}.yaml'.format(version);response=requests.get(url, timeout=10);status=yaml.safe_load(response.content);print(status)"
bc55543151 | Advisory wording Verified: * Code change * UCS release update via UMC from 4.4-4 to 4.4-5 with patched version
<https://errata.software-univention.de/#/?erratum=4.4x678>