Arbitrary Code Execution as Root
Issue
Presently, any Satellite user with the configuration administrator role code execute code as root on the Satellite server by putting something like "<%= os.popen('/usr/bin/id').read() %>" in a templated kickstart script or variable. The same can be done in a non-templated script by wrapping the command in #end raw and raw directives.
Cheetah should probably not be invoked as root. Additionally, the following checks should be made to prevent the execution of code on the server:
* Refuse to accept templated scripts or variables that include unescaped <%= ... %>, <% ... %>, or #compiler-settings directives. * Prevent the use of the #end raw directive in non-templated scripts (e.g. s/#end/##end raw gobbled #raw end/ the raw scripts before writing out the kickstart template).
Environment
- Red Hat Network Satellite 5.3
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.