Bug 39993

Summary: code execution vulnerability in updater module
Product: UCS Reporter: Florian Best <best>
Component: UMC - Software updateAssignee: Florian Best <best>
Status: CLOSED FIXED QA Contact: Stefan Gohmann <gohmann>
Severity: critical    
Priority: P5 CC: gohmann, walkenhorst
Version: UCS 4.0   
Target Milestone: UCS 4.1-0-errata   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=40354
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 40354    

Description Florian Best univentionstaff 2015-11-17 12:00:18 CET 
Everybody who is allowed to execute "updater/installer/execute" is able to execute arbitrary shell code.

PoC:
umc-client -U Administrator -P univention COMMAND updater/installer/execute -o job=release -o detail='; touch /tmp/hacked #'
Comment 1 Florian Best univentionstaff 2016-01-07 11:45:40 CET 
There were 2 different types of injections:
1. The unquoted use of detail as command argument. This has been fixed by quoting it and restricting the general character set of detail.

2. The atjob comments didn't encode newlines so that comments could be used to inject code. The whole command and detail as well as some other things were stored as comments.
Example: detail='\ntouch /tmp/hacked;'

This has been fixed by removing every non-needed comment.
I also switched to the usage of univention.lib.atjobs instead of the own implementation. There I fixed that atjob comments are encoded so that command execution is not possible. This is also necessary to fix Bug #40354.

Backwards compatibility with the old univention-updater-atjob format seems not necessary. Nevertheless I added a fallback detection of the current running update process via psutil if no atjob was found.

A ucs-test case for univention.lib.atjobs comments have also been added.

ucs-test (6.0.31-9):
r66621 | Bug #39993: add test case for univention.lib.atjobs comments

univention-updater (11.0.7-11):
r66589 | Bug #39993: fix code execution vulnerability
r66588 | Bug #39993: fix code execution vulnerability

univention-lib (5.0.0-14):
r66620 | Bug #40354: Bug #39993: encode atjob comments
Comment 2 Stefan Gohmann univentionstaff 2016-01-13 07:31:21 CET 
Code review: OK

Tests: OK. Updater module still works like expected. I was unable to reproduce the original issue.

YAML: OK
Comment 3 Janek Walkenhorst univentionstaff 2016-01-13 13:10:02 CET 
<http://errata.software-univention.de/ucs/4.1/50.html>
Comment 4 Janek Walkenhorst univentionstaff 2016-01-20 13:24:49 CET 
<http://errata.software-univention.de/ucs/4.1/58.html>