Arbitrary Code Execution as Root

Solution Verified - Updated -

Issue

Presently, any Satellite user with the configuration administrator role code execute code as root on the Satellite server by putting something like "<%= os.popen('/usr/bin/id').read() %>" in a templated kickstart script or variable.  The same can be done in a non-templated script by wrapping the command in #end raw and raw directives.

Cheetah should probably not be invoked as root.  Additionally, the following checks should be made to prevent the execution of code on the server:

* Refuse to accept templated scripts or variables that include unescaped <%= ... %>, <% ... %>, or #compiler-settings directives. * Prevent the use of the #end raw directive in non-templated scripts (e.g. s/#end/##end raw gobbled #raw end/ the raw scripts before writing out the kickstart template).

Environment

  • Red Hat Network Satellite 5.3

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content