[OSSA 2013-004] Local file leak through entities in XML requests (CVE-2013-1665)

Bug #1100279 reported by Thierry Carrez
282
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Dolph Mathews
Essex
Fix Released
High
Dolph Mathews
Folsom
Fix Released
High
Dolph Mathews
OpenStack Security Advisory
Fix Released
Undecided
Thierry Carrez

Bug Description

Evil XML ! Jonathan Murray from NCC Group reported that you can leak local file contents using XML entities in Keystone requests:

POST /v2.0//OS-KSDM/roles HTTP/1.1
x-auth-token: d0e1a2d3b4e5e6f7
content-type: application/xml

<!DOCTYPE doc [ <!ENTITY eny SYSTEM "file:///etc/passwd"> ]>
<role>
<name>&ent;</name>
</role>

just returns the content of the local file in role.name.

Looks like we should disable parsing entities altogether, they seem to be exploitable ion pretty awesome ways. I'm not sure only Keystone is affected by this.

Revision history for this message
Thierry Carrez (ttx) wrote :

Adding Joe Heck and Dan Prince for confirmation.

Revision history for this message
Thierry Carrez (ttx) wrote :

Dolph: I suspect your patch from bug 1100282 would solve that one as well ?

Revision history for this message
Thierry Carrez (ttx) wrote :

proposed combined impact description on bug 1100282

Revision history for this message
Dolph Mathews (dolph) wrote :

Agree; fix for bug 1100282 solves this one as well on essex + folsom + master.

Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
status: New → Confirmed
Revision history for this message
Dolph Mathews (dolph) wrote :

There's a couple typos in the example above, but I was able to use this method to read /etc/passwd through the API.

Revision history for this message
Dolph Mathews (dolph) wrote :

I also confirmed that the fix for bug 1100282 eliminates the issue.

Running that fix with the above example results in the service simply receiving an empty string for the role name.

Revision history for this message
Thierry Carrez (ttx) wrote :

OK, disclosure process will be handled on bug 1100282.

Mark McLoughlin (markmc)
Changed in keystone:
milestone: none → 2012.2.3
Mark McLoughlin (markmc)
Changed in keystone:
milestone: 2012.2.3 → none
Thierry Carrez (ttx)
Changed in keystone:
importance: Undecided → High
status: Confirmed → Triaged
Revision history for this message
Thierry Carrez (ttx) wrote :

Issue was independently reported by Stuart Stent as duplicate bug 1111828

Thierry Carrez (ttx)
summary: - Local file leak through entities in XML requests
+ Local file leak through entities in XML requests (CVE-2013-1665)
Thierry Carrez (ttx)
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/folsom)

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/22314

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/22315

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/essex)

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/22316

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/folsom)

Reviewed: https://review.openstack.org/22314
Committed: http://github.com/openstack/keystone/commit/8a2274595ac628b2373eab0cb14690f866b7a024
Submitter: Jenkins
Branch: stable/folsom

commit 8a2274595ac628b2373eab0cb14690f866b7a024
Author: Dolph Mathews <email address hidden>
Date: Tue Feb 19 09:04:11 2013 -0600

    Disable XML entity parsing

    Fixes bug 1100282 and bug 1100279.

    Change-Id: Ibf2d73bca17b689cfa2dfd29eb15ea6e7458a123

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/22315
Committed: http://github.com/openstack/keystone/commit/2afe8e46893ca27ea9d61f29419d0ec23a6d8db3
Submitter: Jenkins
Branch: master

commit 2afe8e46893ca27ea9d61f29419d0ec23a6d8db3
Author: Dolph Mathews <email address hidden>
Date: Tue Feb 19 09:00:40 2013 -0600

    Disable XML entity parsing

    Fixes bug 1100282 and bug 1100279.

    Change-Id: I6a7c9e7110e1c7890205d6e4550ab46295c68906

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/essex)

Reviewed: https://review.openstack.org/22316
Committed: http://github.com/openstack/keystone/commit/8945567b5ec39c7f32f27aec4eccf230cc86646c
Submitter: Jenkins
Branch: stable/essex

commit 8945567b5ec39c7f32f27aec4eccf230cc86646c
Author: Dolph Mathews <email address hidden>
Date: Tue Feb 19 09:08:41 2013 -0600

    Disable XML entity parsing

    Fixes bug 1100282 and bug 1100279.

    Change-Id: Idd3989356dfededc3d863770f0ca1661c1d45782

Thierry Carrez (ttx)
Changed in keystone:
milestone: none → grizzly-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: grizzly-3 → 2013.1
Thierry Carrez (ttx)
summary: - Local file leak through entities in XML requests (CVE-2013-1665)
+ [OSSA 2013-004] Local file leak through entities in XML requests
+ (CVE-2013-1665)
Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.