LDAP Management: Possible Command Injection Vulnerability in adapters/postini.py

VERIFIED FIXED

Status

VERIFIED FIXED
6 years ago
3 years ago

People

(Reporter: freddyb, Assigned: rtucker)

Tracking

({sec-critical, wsec-injection})

Trunk
sec-critical, wsec-injection

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

This code that handles postini uses user-input in commands that
are being executed at system level. If the sanitation function can
be bypassed, attackers may compromise the whole system the Management
Interface runs on.

Instead of the current approach, I would advocate for using a different
command execution function that allows the seperation of the command
and its parameters, e.g. Popen.

My PoC exploit didn't work because I assume that the dev-server doesn't really use the postini bridge and I felt a bit hesitant to try my exploit on production just to proof a point :)

But I successfully registered a username with the email address <fbrau`sleep${IFS}5`n2@mozilla.com>, which makes me quite confident we should fix this quickly.
(Assignee)

Updated

6 years ago
Assignee: nobody → rtucker
(Assignee)

Comment 1

6 years ago
How did you inject the username fbrau`sleep${IFS}5`n2@mozilla.com ? 

Did you do this by calling the PostiniUser direct from a python shell script or from the web interface?
(Assignee)

Comment 3

6 years ago
Created attachment 727141 [details] [diff] [review]
Patch to use popen
Attachment #727141 - Flags: review?(fbraun)
(Assignee)

Comment 4

6 years ago
Created attachment 727163 [details] [diff] [review]
Patch to use popen
Attachment #727141 - Attachment is obsolete: true
Attachment #727163 - Flags: review?(fbraun)
Attachment #727141 - Flags: review?(fbraun)
Comment on attachment 727163 [details] [diff] [review]
Patch to use popen

Looks good!
Attachment #727163 - Flags: review?(fbraun) → review+
This patch didn't fix all of the os.system() calls, but I talked to rtucker out of band and they are going to be checked in to the repo after my tests are completed.
(Assignee)

Comment 7

6 years ago
I've patched all of the os.system calls to use popen.

Can you confirm and then we can close.

Thanks again for everything!
Verified.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: webtools-security
You need to log in before you can comment on or make changes to this bug.