Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 12 Jan 2021 13:59:59 +0100
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: Security issues in hawk2 and crmsh

Hi folks,

We have received reports of 2 security issues for hawk and crmsh. These
hawk and crmsh projects refer to distros@ for their disclosure work.

These issues were reported to SUSE by Vincent Berg of Anvil Ventures.

1. Remote unauthenticated shell injection into the Hawk webserver

   Hawk is a High Availability specific webconsole with its own webserver.

   The Hawk webserver versions 2.2 up to now have a shell code injection
   issue via the "hawk_remember_me_id" cookie.

   It can be triggered from 2 places, via /login (with login_from_cookie) and /logout 
   interfaces.

   The cookie value is passed unquoted and unfiltered from ruby to a
   shell command as commandline argument. (Using %[shellcommand] pattern.)

   As hawk is running as "hauser" usually, this allows unauthenticated
   remote attackers to gain access to the "hauser" account.

   Introduced by https://github.com/ClusterLabs/hawk/commit/a939a099c6abdac383fbaede5e8655853222c887#diff-5349b200e8dc7ea82818115aa0aa1522

   We have received CVE-2020-35458 from Mitre for this issue.

   Our team did a fix that does not use an subshell to invoke the command, patch is attached.


2. Local root privilege escalation via hawk and crmsh shell code injection

   crmsh is a commandline shell utility to query or configure a HA cluster.

   The Hawk webconsole contains a "setuid root" helper tool called "hawk_invoke", which
   allows hawk to call some root functionality in "crmsh".

   hawk_invoke allows calls from "hauser" or "vagrant" users only.

   hawk_invoke has a whitelist of "crmsh" commandline options, but does not do any
   filtering or blocking of stdin.

   The "crm history" sub-command is whitelisted by hawk_invoke.

   It opens its own sub-shell with various commands, one of them is "session create SESSION"
   This subcommand will create a directory "SESSION" by calling:

		if utils.pipe_cmd_nosudo("mkdir -p %s" % session_dir) != 0:

   which again does not filter the input.

   This allows local privilege escalation from "hauser" or "vagrant" to root.

   We have received CVE-2020-35459 from Mitre for this issue.

   Currently we will fix only the unsafe mkdir and add ; to the blacklist filtering, a patch is attached.

Due to shortness of time we did not yet do a full (re)audit of crmsh and hawk, we are currently working on that.

The whole hawk_invoke setuid root setup also needs a full redesign.

Ciao, Marcus

View attachment "hawk2-CVE-2020-35458.patch" of type "text/x-patch" (1974 bytes)

View attachment "crmsh-CVE-2020-35459.patch" of type "text/x-patch" (3341 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.