-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security issue in mininet, may cause arbitary code execution #850
Comments
I don't recommend running untrusted Python scripts (or any untrusted code) as root. If you're looking for an "exploit," why not just use the shell escape?
By design, Mininet runs as root and permits shell escapes, but it can be run in a container or VM if you wish greater isolation. Usually people run it in a VM. However, I would consider a patch to make it possible to run Mininet as a non-root user, if you are interested in putting one together. |
Yes, i totally agree that a user shouldn't run untrusted scripts, and some mininet REPL function is designed for command execution(such as the sh). examples of checking IP thanks for your hard working for mininet, and hope the mininet could be better and better :) |
If a developer what to write his UI website for creating SDN network, I think depending the developer to check the user-input of IP and PORT is not so practical...... cause many developers will simplely pass the user input to the __init__ of Controller......And that may cause problems. To avoid these kind of problem from the root...... it's better perform a check in __init__ ...... |
I'm not convinced that input vetting makes it any more secure, and it makes the code more complicated, which can make it harder to understand and less reliable. However, feel free to submit a pull request if you think it's actually useful. As I noted, since Mininet currently runs as root the best idea is to run it in its own VM (or on a dedicated bare metal server) and that's what we recommend. It's also possible to run Mininet in a container with virtual root rather than real root. However, since it shares the same kernel it's not particularly secure (though it may help prevent some accidental errors - see below.) It may also be possible to make Mininet run with more granular capabilities; at the minimum, it would need to be able to create network namespaces and to add interfaces in both the root and host namespaces. At the end of the day, you're running a Python script with root access, so you shouldn't accept untrusted input. Or code for that matter: # XXX Don't try this "typo" at home
s1.cmd('rm -rf /tmp/foo /*') |
yep, i see that people should run mininet in virtual machine. However, one may run it on his server to create a SDN environment, that may cause proplem . |
I don't understand how the changes you suggest would somehow "make it safer?" I'm also a bit unclear on how would you "exploit" this without either 1) running malicious/untrusted code as root (as in your example) or 2) accepting malicious/untrusted user input (including command line arguments or environment variables) into a script running as root? Are you expecting that a rogue DNS server could be used to exploit this somehow, or ??? Perhaps you can provide an example which doesn't require untrusted user input (including environment variables, command line options, configuration files, etc.) and/or untrusted code? That being said, I think the right approach for IP addresses in the long run (e.g. Mininet 3.x) might be to make them first class objects which are also interoperable with strings (perhaps a subclass of string or something.) The "simple" fix would be to vet input, but that isn't scalable and makes the code harder to read and understand. We could also add type annotations to Mininet (which is also now compatible with Python 3) and possibly use a type checker to the code check. As I noted before, making Mininet's permissions requirements more granular might be useful. I also think that we should have systematic error checking and recovery, which we don't currently have. Probably the most important thing to realize is that this isn't really a bug - it is an intentional implementation choice to make the code simpler and easier to understand. Mininet is basically a root shell, so you shouldn't pass untrusted input to it, and you shouldn't run untrusted scripts. If you want better isolation, the best practice for now is probably to run it in a VM, dedicated server, or container. |
wouldn't it be sufficient to simply apply this small change? -listening = self.cmd( "echo A | telnet -e A %s %d" % ( self.ip, self.port ) )
+listening = self.cmd( "echo A | telnet -e A '%s' '%d'" % ( self.ip, self.port ) ) |
when trying your exploit with this patch, i get
|
Mininet uses GitHub issues for bug reports and feature requests only.
These issues can be viewed at bugs.mininet.org
If you have a question that is not a bug report or a feature request,
please use the documentation at docs.mininet.org, the FAQ
at faq.mininet.org, and the mininet-discuss mailing list.
For bug reports, please fill in the following information in detail,
and also feel free to include additional information such as debug
output from mn -v debug, etc.
--- Cut Here ---
Expected/Desired Behavior:
create an mininet network.
Actual Behavior:
arbitary code execution
Detailed Steps to Reproduce the Behavior:
We found a security issue that may cause arbitary code execution.
the call stack is:
Controller
=>__init__
=>checkListening
=>listening = self.cmd( "echo A | telnet -e A %s %d" % ( self.ip, self.port ) )
source code:
We focus on:
self.cmd() execute what ever passed to it. We can see that
self.ip
andself.port
are user controllable inputs,without any kind of filter or other defences. So if we gave a malicious IP, we can get an arbitary code execution.Using self.cmd() without defence is quite dangerous, because sometimes the attacker can control the input of ip or port. For example, the supply chain attack, or some developer encapsulate mininet with a web page so that the attacker may give a malicious IP/PORT to make arbitary code execution.
We strongly suggest to add some kind of defence here, or totally change the mechanism of some functions.
Our exploit is as follows:
the results is shown below:
Additional Information:
please think about fixing this kind of security problems.
The text was updated successfully, but these errors were encountered: