First Last Prev Next    This bug is not in your last search results.
Bug 51672 - Remove univention-updater backdoor (code execution exploit)
Remove univention-updater backdoor (code execution exploit)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Software update
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-5-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on: 43026
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-15 13:39 CEST by Florian Best
Modified: 2020-07-29 16:50 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 6.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P/RL:U/RC:C)
best: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2020-07-15 13:39:56 CEST 
Each time a Administrator logs into UMC the maintenance information are fetched, to check if the system is still in maintenance:

base/univention-updater/umc/python/updater/__init__.py:
237 »   def _maintenance_information(self):
…
243 »   »   »   url = 'https://updates.software-univention.de/download/ucs-maintenance/{}.yaml'.format(version)
244 »   »   »   response = requests.get(url, timeout=10)
245 »   »   »   if not response.ok:
246 »   »   »   »   response.raise_for_status()
247 »   »   »   status = yaml.load(response.content)

As yaml.load() executes arbitrary python code, this is a backdoor for root code execution:

E.g:
python -c 'import yaml; yaml.load("!!python/object/new:os.system [echo EXPLOIT!]")'
Comment 1 Florian Best univentionstaff 2020-07-15 13:42:20 CEST 
Introduced in Bug #43026 git:ed67b2c9671e0b0b6e095b4878e350f4f17ab83f.
Comment 2 Philipp Hahn univentionstaff 2020-07-23 09:50:45 CEST 
[4.4-5] faa060bb38 Bug #51672: univention-updater 14.0.2-15
 base/univention-updater/debian/changelog               |  6 ++++++
 base/univention-updater/umc/python/updater/__init__.py |  2 +-
 doc/errata/staging/univention-updater.yaml             | 13 +++++++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

Package: univention-updater
Version: 14.0.2-15A~4.4.0.202007230944
Branch: ucs_4.4-0
Scope: errata4.4-5

[4.4-5] 45d6b34437 Bug #51672: univention-updater 14.0.2-15A~4.4.0.202007230944
 doc/errata/staging/univention-updater.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

QA: python -c "import requests,yaml;version='4.4-5';url='https://updates.software-univention.de/download/ucs-maintenance/{}.yaml'.format(version);response=requests.get(url, timeout=10);status=yaml.safe_load(response.content);print(status)"
Comment 3 Arvid Requate univentionstaff 2020-07-23 13:59:50 CEST 
bc55543151 | Advisory wording

Verified:
* Code change
* UCS release update via UMC from 4.4-4 to 4.4-5 with patched version
First Last Prev Next    This bug is not in your last search results.