arlake228
commented
9 years ago Comment #1 originally posted by arlake228 on 2013-10-01T13:26:17.000Z:
<empty>
Closed arlake228 closed 9 years ago
arlake228
commented
9 years ago Comment #1 originally posted by arlake228 on 2013-10-01T13:26:17.000Z:
<empty>
arlake228
commented
9 years ago Comment #2 originally posted by arlake228 on 2013-10-10T11:05:30.000Z:
Dear Shawn McKee, PerfSONAR team
The Software Vulnerability Concerning PerfSONAR web interface problems has be assessed as 'Moderate' risk. Hence a target date for resolution has been set to 4 months from now, to 10th February 2013. Please ensure that this issue is resolved in the software available for installation in the EGI infrastructure by this date.
Information is available in the EGI RT at https://rt.egi.eu/rt/Ticket/Display.html?id=6052
If you cannot view this or need further information then please ask.
We will draft an advisory, and would appreciate your input to ensure it is complete and correct.
The advisory will be located at
https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2013-6052
Please ensure that your release notes refer to this advisory.
Please also provide a link to your release notes for inclusion in the advisory (this may be done shortly before you release the software) and let us know when you are about to release the software so that we can release the advisory when you release your software.
Regards,
The EGI Software Vulnerability Group (SVG)
Dr Linda Cornwall, Particle Physics Department, STFC, The Rutherford Appleton Laboratory, Harwell Science and Innovation Campus, DIDCOT, OX11 OQX, England
Tel. 44/0 1235 44 6138 ------------ E-mail Linda.Cornwall@stfc.ac.uk
Scanned by iCritical.
arlake228
commented
9 years ago Comment #3 originally posted by arlake228 on 2013-10-14T13:21:55.000Z:
<empty>
arlake228
commented
9 years ago Comment #4 originally posted by arlake228 on 2013-10-15T18:45:03.000Z:
<empty>
arlake228
commented
9 years ago Comment #5 originally posted by arlake228 on 2013-10-18T13:47:23.000Z:
<empty>
arlake228
commented
9 years ago Comment #6 originally posted by arlake228 on 2013-10-18T14:40:48.000Z:
<empty>
Original issue 783 created by arlake228 on 2013-10-01T13:06:43.000Z:
Hi,
I've been testing perfSONAR-PS toolkit this week and I've found a security problem with the web interface. I presume this falls somewhat within the SVG remit as most WLCG sites have a perfSONAR node now. It's quite circuitous to exploit (and explain!), but I've tried to write it up below.
A quick summary before going into the detail: With quite a bit of work an attacker running their own hostile MA can read files from any perfSONAR-PS frontend node in the default configuration (as the apache user) and/or use it like a web proxy server without any authentication.
The perfSONAR results pages fetch their data from the backend by requesting a URL like the following. By default the URL requires no authentication and isn't firewalled.
/serviceTest/getData.cgi?ma_url=http://localhost:8085/perfSONAR_PS/services/pSB&eventType=http://ggf.org/ns/nmwg/characteristic/delay/summary/20070921&nocache=1378989487791
By replacing the ma_url with a remote one, you can get the server to fetch results from other perfSONAR boxes (by design I think), but this also gives an attacker a chance to perform various bits of mischief:
The ma_url isn't checked very well, you can use this for rudimentary port scanning by giving it URLs like http://my.host:22 and seeing how long the page takes to load.
An attacker could point it to a server under their control and return their own XML file. The attacker's ma_url server could return a very recursive XML file and DoS the perfSONAR-PS node by depleting the RAM.
The XML file returned by the attacker can have XML include statements which are expanded on the perfSONAR-PS node and then returned. Even remote web-pages can be included as the XML processor has remote includes enabled by default.
Using a python script that I wrote as my "hostile" MA, I was able to read things like /etc/passwd from the perfSONAR-PS machine (or anything else the apache user can read) and load remote webpages. The text is returned in one of the fields that would normally hold information (See some example output in [1]). I found I can't read files that contain some special characters, but this is probably a limitation in my implementation (I'm using XML ENTITY includes, whereas I suspect I could use XIncludes instead).
Regards, Simon
[1] A perfSONAR host dumping its passwd file: { "Inactive" : null, "Active" : [ { "protocol" : "root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\ngames:x:12:100:games:/usr/games:/sbin/nologin\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin...