The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #13518

file bucket request can execute arbitrary commands as puppet master

Added by Patrick Carlisle over 2 years ago. Updated over 2 years ago.

Status:ClosedStart date:03/29/2012
Priority:ImmediateDue date:
Assignee:-% Done:

0%

Category:security
Target version:2.7.13
Affected Puppet version:2.6.0 Branch:
Keywords:security

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

This requires access to the cert on the agent and an unprivileged account on the master.

By creating a path on the master in a world-writable location that matches a command string, one can then make a file bucket request to execute that command.

History

#1 Updated by Anonymous over 2 years ago

  • Assignee changed from Patrick Carlisle to Anonymous

#2 Updated by Anonymous over 2 years ago

  • Status changed from Accepted to In Topic Branch Pending Review

Fixes in branches:

  • https://github.com/puppetlabs/puppet-cve-test/tree/security/2.6.14/filebucket-bucket-path-security
  • https://github.com/puppetlabs/puppet-cve-test/tree/security/2.6.14/filebucket-bucket-path-security

#3 Updated by Matthaus Owens over 2 years ago

  • Status changed from In Topic Branch Pending Review to Merged - Pending Release
  • Target version set to 2.7.13

#4 Updated by Matthaus Owens over 2 years ago

  • Description updated (diff)
  • Status changed from Merged - Pending Release to Closed
  • Affected Puppet version changed from 2.7.12 to 2.6.0

Released in 2.7.13, 2.6.15

#5 Updated by Matthaus Owens over 2 years ago

  • Private changed from Yes to No

Also available in: Atom PDF