Arbitrary Code Execution as Root
Issue
Presently, any Satellite user with the configuration administrator role code execute code as root on the Satellite server by putting something like "<%= os.popen('/usr/bin/id').read() %>" in a templated kickstart script or variable. The same can be done in a non-templated script by wrapping the command in #end raw and raw directives.
Cheetah should probably not be invoked as root. Additionally, the following checks should be made to prevent the execution of code on the server:
* Refuse to accept templated scripts or variables that include unescaped <%= ... %>, <% ... %>, or #compiler-settings directives. * Prevent the use of the #end raw directive in non-templated scripts (e.g. s/#end/##end raw gobbled #raw end/ the raw scripts before writing out the kickstart template).
Environment
- Red Hat Network Satellite 5.3
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
