[checkmk-commits] 3855 SEC Fixed possible command injection by privileged WATO users

Module: check_mk Branch: master Commit: 570e49fb2ff67a899f8054df99eb47ee474d8db0 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=570e49fb2ff67a… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Sep 13 17:04:41 2016 +0200 3855 SEC Fixed possible command injection by privileged WATO users In all previous 1.2.8 versions authenticated and privileged WATO users, the ones which are able to add or edit hosts, were able to inject shell commands to Check_MK which are then executed in the context of the monitoring site user. The user was able to configure a host address in a specific format to inject such shell commands to the configuration. Once the configuration was activated and loaded into the monitoring core, the command was executed in context of the monitoring site user in the moment a parent scan was started for that host. Thanks for analyzing and reporting this issue to Christian Fünfhaus! --- .werks/3855 | 20 ++++++++++++++++++++ ChangeLog | 1 + modules/check_mk.py | 8 ++++---- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/.werks/3855 b/.werks/3855 new file mode 100644 index 0000000..9285584 --- /dev/null +++ b/.werks/3855 @@ -0,0 +1,20 @@ +Title: Fixed possible command injection by privileged WATO users +Level: 2 +Component: wato +Class: security +Compatible: compat +State: unknown +Version: 1.4.0i1 +Date: 1473778544 + +In all previous 1.2.8 versions authenticated and privileged WATO users, +the ones which are able to add or edit hosts, were able to inject shell +commands to Check_MK which are then executed in the context of the monitoring +site user. + +The user was able to configure a host address in a specific format to inject +such shell commands to the configuration. Once the configuration was activated +and loaded into the monitoring core, the command was executed in context of +the monitoring site user in the moment a parent scan was started for that host. + +Thanks for analyzing and reporting this issue to Christian Fünfhaus! diff --git a/ChangeLog b/ChangeLog index 4a0f6d7..c370b64 100644 --- a/ChangeLog +++ b/ChangeLog @@ -521,6 +521,7 @@ * 3792 check_http: now able to configure HTTP method PROPFIND * 3851 Host edit dialog: Checkbox hosttags are now checked by default... * 3800 WATO rule overview: Adjusted wording of condition texts + * 3855 SEC: Fixed possible command injection by privileged WATO users... * 3060 FIX: Folder properties: Fixed exception when a user has no alias set... * 3062 FIX: Git integration: Fixed not adding files in WATO folders to git control * 3203 FIX: Distributed WATO: Fixed exception in remote host service discovery... diff --git a/modules/check_mk.py b/modules/check_mk.py index 00c5f18..ba4657c 100755 --- a/modules/check_mk.py +++ b/modules/check_mk.py @@ -4600,8 +4600,8 @@ def do_scan_parents(hosts): sys.stdout.write("\nWrote %s\n" % outfilename) def gateway_reachable_via_ping(ip, probes): - return 0 == os.system("ping -q -i 0.2 -l 3 -c %d -W 5 '%s' >/dev/null 2>&1" % - (probes, ip)) >> 8 + return 0 == os.system("ping -q -i 0.2 -l 3 -c %d -W 5 %s >/dev/null 2>&1" % + (probes, quote_shell_string(ip))) >> 8 def scan_parents_of(hosts, silent=False, settings={}): if monitoring_host: @@ -4620,11 +4620,11 @@ def scan_parents_of(hosts, silent=False, settings={}): sys.stdout.flush() try: ip = lookup_ipv4_address(host) - command = "traceroute -w %d -q %d -m %d -n '%s' 2>&1" % ( + command = "traceroute -w %d -q %d -m %d -n %s 2>&1" % ( settings.get("timeout", 8), settings.get("probes", 2), settings.get("max_ttl", 10), - ip) + quote_shell_string(ip)) if opt_debug: sys.stderr.write("Running '%s'\n" % command) procs.append( (host, ip, os.popen(command) ) )