[Bug 829234] Re: [MIR] socat

Jamie Strandboge jamie at ubuntu.com
Wed Sep 21 16:07:21 UTC 2011 

I'll answer my own question, from nova/virt/libvirt/connection.py:
        def get_pty_for_instance(instance_name):
            virt_dom = self._lookup_by_name(instance_name)
            xml = virt_dom.XMLDesc(0)
            dom = minidom.parseString(xml)

            for serial in dom.getElementsByTagName('serial'):
                if serial.getAttribute('type') == 'pty':
                    source = serial.getElementsByTagName('source')[0]
                    return source.getAttribute('path')

        port = get_open_port()
        token = str(uuid.uuid4())
        host = instance['host']

        ajaxterm_cmd = 'sudo socat - %s' \
                       % get_pty_for_instance(instance['name'])

        cmd = ['ajaxterm', '--command', ajaxterm_cmd, '-t', token,
                '-p', port, '-T', '300']

        utils.execute(cmd)

I think this could potentially be replaced with netcat as it looks like
netcat provides equivalent args. I'm not sure why we are using '-t
<token>' with socat since '-t' is a timeout value....

socat is being invoked as root by nova here, and the socat code is fairly crufty (see my review below) so this is not desirable. On my non-nova qemu-kvm VMs, I see that the pty is owned by the unprivileged libvirt-qemu:
$ ls -l /dev/pts/5
crw--w---- 1 libvirt-qemu tty 136, 5 2011-09-21 10:29 /dev/pts/5

I can say that while the code is running as root, the arguments passed
to socat do not seem to be under attacker control and utils.execute() is
not generally susceptible to shell injection on this host, so that is
good. However, combined with ajaxterm, it does look like if someone is
somehow able to adjust the output of the get_pty_for_instance() command,
then shell injection the arguments to socat could be adjusted for
arbitrary code execution (since it supports scripting). Fiddling with
libvirt and defining some bad XML, I was not able to subvert libvirt
into accepting bad input, but I also didn't try very hard.

Perhaps if sticking with socat these can be adjusted:
- run socat with least privilege (keep in mind that libvirt can be configured to run VMs as root, and I haven't looked at LXC if that is relevant)
- perform input validation on get_pty_for_instance() to defend against any bugs in libvirt

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to socat in Ubuntu.
https://bugs.launchpad.net/bugs/829234

Title:
  [MIR] socat

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/socat/+bug/829234/+subscriptions

More information about the Ubuntu-server-bugs mailing list