Bug 1227203 (CVE-2024-22033) - VUL-0: CVE-2024-22033: obs-service-download_url: argument injection
Summary: VUL-0: CVE-2024-22033: obs-service-download_url: argument injection
Status: NEW
Alias: CVE-2024-22033
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Adrian Schröter
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/412424/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-29 15:18 UTC by Marcus Meissner
Modified: 2024-07-15 13:05 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Adrian Schröter 2024-07-02 16:40:05 UTC 
Thanks for that report!

Please review my first attempt to solve this, need to think if there are further ways to inject a parameter tomorrow:

 https://github.com/openSUSE/obs-service-download_url/commit/54c08bf2d466ea5d55f77bb1185dab9018d9e5e8

just for the record, the services on our server are running in addition in containers, so we should not have a risk on our server. But it is definitive a problem because services are also executed on developer systems.
Comment 3 Johannes Segitz 2024-07-03 07:15:11 UTC 
I'm giving a training today and tomorrow, so I can't look into this in detail. But I think this is not sufficient. Can you test your change with this change in the exploit:
    <param name="url"> --output-document=/srv/obs/service/.wgetrc</param>

I assume the whitespace gets ignored upon execution.

In general don't blacklist but whitelist allowed entries. Otherwise it's very tricky to get this right
Comment 4 Adrian Schröter 2024-07-03 07:28:48 UTC 
indeed .. I modifed the code now to ensure that url is handled as single argument in any case. so any spaces can not be used anymore to prefix or hand over multiple arguments.

https://github.com/openSUSE/obs-service-download_url/commit/d330e267997689eb8d2bc473f8d8b6c9a6a201ae
Comment 5 Adrian Schröter 2024-07-03 07:29:53 UTC 
the whitelist would need to be always in sync with wget protocol support, so I'd like to avoid it.
Comment 6 Johannes Segitz 2024-07-10 14:07:20 UTC 
So I can get the exploit still working with the current version. I suggest you add a sanity check for the URL and restrict it to strings starting with /http|ftp/i
Comment 7 Adrian Schröter 2024-07-10 15:08:53 UTC 
k, I missed to solve it for url argument as well, but is supposed to be solved in git now.

tagged as version 0.2.1 and ready to go out, when you give me the okay.
Comment 8 Johannes Segitz 2024-07-10 15:12:31 UTC 
After the recent version I can't get it working anymore

Please use CVE-2024-22033 for this
Comment 9 Adrian Schröter 2024-07-11 13:28:17 UTC 
okay, releasing 0.2.1 now.
Comment 10 OBSbugzilla Bot 2024-07-11 14:05:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1227203) was mentioned in
https://build.opensuse.org/request/show/1186878 Factory / obs-service-download_url
https://build.opensuse.org/request/show/1186879 Backports:SLE-15-SP5 / obs-service-download_url
https://build.opensuse.org/request/show/1186880 Backports:SLE-15-SP6 / obs-service-download_url
Comment 11 Marcus Meissner 2024-07-11 15:16:50 UTC 
i rated it, but open for other input:

8	3.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Comment 12 Johannes Segitz 2024-07-12 08:30:05 UTC 
Could also see CIA as L due to the sandboxing on the server and the fact that it runs with user privileges in a local context. But both are fine
Comment 13 Marcus Meissner 2024-07-15 13:05:19 UTC 
openSUSE-SU-2024:0199-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1227203
CVE References: CVE-2024-22033
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    obs-service-download_url-0.2.1-bp155.3.3.1