Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
2.1.0, 2.3.0, 2.2.2, 2.4.4, 2.5.3, 2.6.2, 2.8.0, 2.7.8
-
None
Description
Apache Ambari version: 2.1.0-rc0 to 2.8.0-rc1 allows a malicious authenticated user to execute arbitrary command remotely. Just like `touch /tmp/pwn` can execute any command of the below screenshot.
I think we should not use `sh -c` or `cmd /c` to execute shell command which lead to command injection.
To fix this issue, that's two-step we should follow:
- Replace `sh -c` or `cmd /c` to parameterized command execution
- The above fix the way using some special char like `$..... to inject evil command to `script` var, but it can't prevent the path traversal to execute evil command, if any input content in `properties` contain `..` we should block it and return failed tip to front end
I have emailed the complete reproduction steps to brahmareddy. . You can forward it to him if necessary.
Attachments
Attachments
Issue Links
- links to
