Date: Thu, 9 Aug 2018 17:42:39 +0200 From: Cedric Buissart <cbuissar@...hat.com> To: oss-security@...ts.openwall.com Subject: cobbler CVE-2018-10931: CobblerXMLRPCInterface exports internal only functions over XMLRPC Cobbler is a Linux installation server that allows for rapid setup of network installation environments. It is used in products like Red Hat Enterprise Satellite 5 and Spacewalk. Upstream project is at : https://cobbler.github.io/ While diagnosing the following 2 flaws : https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/ Another flaw has been found: cobbler exposes all functions from its CobblerXMLRPCInterface class over XMLRPC. However, python renames the __* function with _<classname>__<functionname>. A remote, unauthenticated attacker could use this flaw by calling the real name of any __* function and gain high privileges within cobbler or upload files to arbitrary location in the context of the daemon. This is identified as CVE-2018-10931 All versions of cobbler (at least since 2.0.7) are affected. To reproduce the issue: use the reproducers from the report above and call any __<name> function as _CobblerXMLRPCInterface__<name> The patch for this specific vulnerability (i.e.: it does *not* fix the vulnerability reported by movermeyer.com) : --- cobbler/remote.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cobbler/remote.py b/cobbler/remote.py index 94a18e7..ea0e354 100644 --- a/cobbler/remote.py +++ b/cobbler/remote.py @@ -1752,6 +1752,9 @@ class ProxiedXMLRPCInterface: def _dispatch(self, method, params, **rest): + if method.startswith('_'): + raise CX("forbidden method") + if not hasattr(self.proxied, method): raise CX("unknown remote method") --- Best regards, -- Cedric Buissart, Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ