cobbler CVE-2018-10931: CobblerXMLRPCInterface exports internal only functions over XMLRPC

[Cedric Buissart <cbuissar () redhat com>]

Cobbler is a Linux installation server that allows for rapid setup of
network
installation environments. It is used in products like Red Hat Enterprise
Satellite 5 and Spacewalk.  Upstream project is at :
https://cobbler.github.io/


While diagnosing the following 2 flaws :
https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/

Another flaw has been found: cobbler exposes all functions from its
CobblerXMLRPCInterface class over XMLRPC. However, python renames the __*
function with _<classname>__<functionname>.  A remote, unauthenticated
attacker
could use this flaw by calling the real name of any __* function and gain
high
privileges within cobbler or upload files to arbitrary location in the
context
of the daemon.  This is identified as CVE-2018-10931

All versions of cobbler (at least since 2.0.7) are affected.

To reproduce the issue: use the reproducers from the report above and call
any
__<name> function as _CobblerXMLRPCInterface__<name>

The patch for this specific vulnerability (i.e.: it does *not* fix the
vulnerability reported by movermeyer.com) :

---
 cobbler/remote.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cobbler/remote.py b/cobbler/remote.py
index 94a18e7..ea0e354 100644
--- a/cobbler/remote.py
+++ b/cobbler/remote.py
@@ -1752,6 +1752,9 @@ class ProxiedXMLRPCInterface:

     def _dispatch(self, method, params, **rest):

+        if method.startswith('_'):
+            raise CX("forbidden method")
+
         if not hasattr(self.proxied, method):
             raise CX("unknown remote method")

---


Best regards,

-- 
Cedric Buissart,
Product Security