Module: check_mk
Branch: master
Commit: 0fe2a45b299a8f5c5da332410eec2c45aac2ba1e
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0fe2a45b299a8f…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jun 23 16:01:20 2014 +0200
Fix code injection for logged in users via automation url
This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
<i>The check_mk applications uses insecure API calls, which allow an attacker
to execute arbitrary code on the server by issuing just a single URL. The
reason for this is the usage of the insecure "pickle" API call. Apparently
this was modified as a security means from a former version, which used
"eval"-like structures with untrusted input data. Anyhow, as the python API
documentation clearly state, "pickle" should be considered unsafe as well,
see: <tt>https://docs.python.org/2/library/pickle.html</tt>.</i>
The fix replaces <tt>pickle<tt> with a module called <tt>ast</tt>.
Unfortunately
this module is not available on Centos/RedHat 5.X and Debian 5. On these
systems WATO still uses <tt>pickle</tt>, even with this fix.
<b>Note:</b> This change makes the current Check_MK versions incompatible
to older versions. In a mixed environment with old and new Check_MK versions or with old
and newer Python versions you have to force WATO to use the old
unsafe method by setting <tt>wato_legacy_eval = True<tt> in
<tt>multisite.mk</tt>.
This can also be done with the new global WATO setting <i>Use unsafe legacy
encoding for distributed WATO</i>.
Conflicts:
web/plugins/config/wato.py
---
.werks/984 | 28 ++++++++++++++++++++++++++++
ChangeLog | 2 ++
web/htdocs/wato.py | 14 ++++++++++++--
web/plugins/config/wato.py | 1 +
web/plugins/wato/check_mk_configuration.py | 14 ++++++++++++++
5 files changed, 57 insertions(+), 2 deletions(-)
diff --git a/.werks/984 b/.werks/984
new file mode 100644
index 0000000..2af5ca2
--- /dev/null
+++ b/.werks/984
@@ -0,0 +1,28 @@
+Title: Fix code injection for logged in users via automation url
+Level: 2
+Component: wato
+Class: incomp
+State: unknown
+Version: 1.2.5i4
+Date: 1401195677
+
+This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
+
+<i>The check_mk applications uses insecure API calls, which allow an attacker
+to execute arbitrary code on the server by issuing just a single URL. The
+reason for this is the usage of the insecure "pickle" API call. Apparently
+this was modified as a security means from a former version, which used
+"eval"-like structures with untrusted input data. Anyhow, as the python API
+documentation clearly state, "pickle" should be considered unsafe as well,
+see: <tt>https://docs.python.org/2/library/pickle.html</tt>.</i>
+
+The fix replaces <tt>pickle<tt> with a module called
<tt>ast</tt>. Unfortunately
+this module is not available on Centos/RedHat 5.X and Debian 5. On these
+systems WATO still uses <tt>pickle</tt>, even with this fix.
+
+<b>Note:</b> This change makes the current Check_MK versions incompatible
+to older versions. In a mixed environment with old and new Check_MK versions or with
old
+and newer Python versions you have to force WATO to use the old
+unsafe method by setting <tt>wato_legacy_eval = True<tt> in
<tt>multisite.mk</tt>.
+This can also be done with the new global WATO setting <i>Use unsafe legacy
+encoding for distributed WATO</i>.
diff --git a/ChangeLog b/ChangeLog
index 57219a8..4facaf0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -32,6 +32,8 @@
* 0822 FIX: Sorting columns in view dashlets is now working again
WATO:
+ * 0984 Fix code injection for logged in users via automation url...
+ NOTE: Please refer to the migration notes!
* 0987 New button for updating DNS cache...
* 0824 SEC: Valuespecs: Fixed several possible HTML injections in valuespecs...
* 0813 FIX: LDAP: Improved slightly missleading logging of LDAP sync actions...
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index edf2644..972ea68 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -16964,12 +16964,22 @@ def validate_all_hosts(hostnames, force_all = False):
# '----------------------------------------------------------------------'
import base64
+try:
+ import ast
+except:
+ ast = None
def mk_eval(s):
- return pickle.loads(base64.b64decode(s))
+ if ast and not config.wato_legacy_eval:
+ return ast.literal_eval(base64.b64decode(s))
+ else:
+ return pickle.loads(base64.b64decode(s))
def mk_repr(s):
- return base64.b64encode(pickle.dumps(s))
+ if ast and not config.wato_legacy_eval:
+ return base64.b64encode(repr(s))
+ else:
+ return base64.b64encode(pickle.dumps(s))
# Returns true when at least one folder is defined in WATO
def have_folders():
diff --git a/web/plugins/config/wato.py b/web/plugins/config/wato.py
index 590a145..844ed8b 100644
--- a/web/plugins/config/wato.py
+++ b/web/plugins/config/wato.py
@@ -40,6 +40,7 @@ wato_write_nagvis_auth = False
wato_use_git = False
wato_hidden_users = []
wato_user_attrs = []
+wato_legacy_eval = False
def tag_alias(tag):
for entry in wato_host_tags:
diff --git a/web/plugins/wato/check_mk_configuration.py
b/web/plugins/wato/check_mk_configuration.py
index dd48836..4a0aaac 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -483,6 +483,20 @@ register_configvar(group,
domain = "multisite"
)
+register_configvar(group,
+ "wato_legacy_eval",
+ Checkbox(
+ title = _("Use unsafe legacy encoding for distributed WATO"),
+ help = _("The current implementation of WATO uses a Python module called
<tt>ast</tt> for the "
+ "communication between sites. Previous versions of Check_MK used an
insecure encoding "
+ "named <tt>pickle</tt>. Even in the current version
WATO falls back to <tt>pickle</tt> "
+ "if your Python version is not recent enough. This is at least the
case for RedHat/CentOS 5.X "
+ "and Debian 5.0. In a mixed environment you can force using the
legacy <tt>pickle</tt> format "
+ "in order to create compatibility."),
+ ),
+ domain = "multisite"
+)
+
register_configvar(group,
"wato_hide_filenames",