Univention Bugzilla – Bug 39993
code execution vulnerability in updater module
Last modified: 2021-06-23 07:29:11 CEST
Everybody who is allowed to execute "updater/installer/execute" is able to execute arbitrary shell code. PoC: umc-client -U Administrator -P univention COMMAND updater/installer/execute -o job=release -o detail='; touch /tmp/hacked #'
There were 2 different types of injections: 1. The unquoted use of detail as command argument. This has been fixed by quoting it and restricting the general character set of detail. 2. The atjob comments didn't encode newlines so that comments could be used to inject code. The whole command and detail as well as some other things were stored as comments. Example: detail='\ntouch /tmp/hacked;' This has been fixed by removing every non-needed comment. I also switched to the usage of univention.lib.atjobs instead of the own implementation. There I fixed that atjob comments are encoded so that command execution is not possible. This is also necessary to fix Bug #40354. Backwards compatibility with the old univention-updater-atjob format seems not necessary. Nevertheless I added a fallback detection of the current running update process via psutil if no atjob was found. A ucs-test case for univention.lib.atjobs comments have also been added. ucs-test (6.0.31-9): r66621 | Bug #39993: add test case for univention.lib.atjobs comments univention-updater (11.0.7-11): r66589 | Bug #39993: fix code execution vulnerability r66588 | Bug #39993: fix code execution vulnerability univention-lib (5.0.0-14): r66620 | Bug #40354: Bug #39993: encode atjob comments
Code review: OK Tests: OK. Updater module still works like expected. I was unable to reproduce the original issue. YAML: OK
<http://errata.software-univention.de/ucs/4.1/50.html>
<http://errata.software-univention.de/ucs/4.1/58.html>