murano team mailing list archive
-
murano team
-
Mailing list archive
-
Message #00014
[Bug 1177936] Re: Format string vulnerability in base OpenstackException handler
Jeremy, I think that's a good idea. Once you have the bug for reddwarf,
you can assign it to me. It would be good to fix the base ReddwarfError
class so that we're not susceptible to a similar format string
vulnerability in the future. Thanks!
--
You received this bug notification because you are a member of Murano
Core, which is subscribed to murano.
Matching subscriptions: team
https://bugs.launchpad.net/bugs/1177936
Title:
Format string vulnerability in base OpenstackException handler
Status in Cinder:
Invalid
Status in OpenStack Image Registry and Delivery Service (Glance):
Invalid
Status in Orchestration API (Heat):
Invalid
Status in Moniker:
Invalid
Status in Murano Project:
Invalid
Status in OpenStack Compute (Nova):
Invalid
Status in Oslo - a Library of Common OpenStack Code:
Invalid
Status in OpenStack Quantum (virtual network service):
Invalid
Status in RedDwarf - Database as a Service:
Fix Committed
Status in Savanna project:
Invalid
Bug description:
Description
A Reddwarf string format vulnerability exists in the class
OpenstackException, the base exception class. To implement the class,
as the comments in the class note, "inherit from it and define a
'message' property. That message will get printf'd with the keyword
arguments provided to the constructor". However, in the event that the
message property contains user-supplied data, a user can inject %
formatting string options to be printf'd.
Affected Services
Other projects in or related to OpenStack were found using either the
same base exception handler, or one very similar.
Nova – Class NovaException (optionally formats a string)
Quantum – Classes QuantumException & OpenstackException
Reddwarf – Class OpenstackException
Moniker – Class OpenstackException
Savanna – Class OpenstackException
Murano-Conductor - Class OpenstackException
Proof of Concept
The following will demonstrate the issue by using the RedDwarf web
service API to create a database with an invalid database name. This
causes a ValueError to occur which uses the database name as part of
the error message. When this is caught a BadRequest exception is
generated which is then and handled by a ReddwarfError in the web
service. Since ReddwarfError is a subclass of OpenstackException it
sets the global message variable that is then used to create the
format string.
{
"databases": [
{
"character_set": "utf8",
"collate": "utf8_general_ci",
"name": "%-100sa"
}
]
}
In this case the API will send back to the client a HTTP 400 bad
request with the following response body:
{"badRequest": {"message": "'{}
a' is not a valid database name", "code": 400}}
The message contains a "{}", 100 space characters and the character
'a'. The "{}" is due to kwargs being empty, -100 left-justifies the
string by padding 100 space characters followed by the 'a' character.
Since the padding takes an int value, a malicious user could include a
very large int causing a denial of service. While running the unit
tests for Reddwarf it was found that upon trying to create a database
with the name "test%999999999sdb", python allocated more than 2000
megabytes to handle a single request.
Recommendation
A class should not blindly format a string using a formatting variable
without being able to validate the input. Instead of formatting the
string, the exception base handler should take a string message
argument while subclasses take care of formatting any needed string to
pass into the super class.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1177936/+subscriptions
