blob: b0e0b90f20ab93d1518369ed57c62ec2b9548d7a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
custodian-enqueue
-----------------
We open named files from the user to parse tests.
We don't run shell commands.
custodian-dequeue
-----------------
Two tests pass arguments from the configuration file to the shell:
ping
http/https
The hostname used to ping, and the url, are both passed directly to the shell with no encoding or sanitizing. The only issue is that the hostnames must match the following regular expression:
^([^\s]+)\s+
The following configuration file allows the specified command to be executed, as root, via the shell:
$(/home/steve/hg/custodian/exploit.sh) must ping otherwise "Owned".
Given that anybody who can talk to the beanstalkd server can submit JSON-encoded-jobs we have no solution here which involves sanity-checking the parsed-hostnames. Instead we much either restrict submissions to signed ones, or we must remove the following from hostnames:
$( ... ) - Expansion.
` .. ` - Backticks.
; .. - Sub-commands.
General
-------
We decode arbitrary JSON from the queue. We should sign it, or validate it to will prevent trojan malformed
JSON from being added.
At the moment we ensure that the job-body we retrieve looks JSON-like, and decodes to a non-empty hash.
Problem: We cannot sign the body without giving away our key details.
Solution: Read /etc/custodian/salt, and store the checksum of all keys + values with that salt?
TODO
----
Anything else? DoS attacks?
Steve
--
|
