Page MenuHomePhabricator

RESTBase arbitrary file read vulnerability
Closed, ResolvedPublic

Description

As reported by Neal Poole to our security alias:

I recently received a report about an arbitrary file read
vulnerability in RESTBase which appears to affect Wikimedia systems.
It allows for arbitrary file read as the user the server is running
as:
 
PoC: https://en.wikipedia.org/api/rest_v1/?path=....//....//....//....//....//....//....//....//etc/passwd&doc=

Event Timeline

faidon assigned this task to GWicke.
faidon raised the priority of this task from to Unbreak Now!.
faidon updated the task description. (Show Details)
faidon added projects: RESTBase, acl*security.
faidon changed the visibility from "Public (No Login Required)" to "Custom Policy".
faidon changed the edit policy from "All Users" to "Custom Policy".
faidon changed Security from None to Software security bug.
faidon subscribed.

@GWicke, @yuvipanda, @mark & myself prepared/code reviewed a fix. @yuvipanda deployed this across the fleet manually as a hotfix now, until we figure out the best way to unembargo/disclose this.

I've responded to the reporter to inform them of this and also ask what he meant by "received a report".

We should rotate secrets (mainly the Cassandra password) next, we still need to figure out the right process for that.

This is the hot fix that was applied manually (with a simple 'patch') on all production nodes:

https://gist.github.com/gwicke/bf7e32b6631a4a85be6c

Cassandra password and user, restbase salt have been correctly rotated.

Restart of the production cluster went as follows:

10:57 UTC - added the new cassandra user on the production cluster
11:02 UTC - puppet disabled on all restbase hosts
11:30 UTC - merged all puppet changes to reflect the user change
11:31 UTC - restbase1001 is restarted with the new user, all checks are green, proceding with a rolling restart of the production cluster
11:45 UTC - A rolling restart of the test cluster (toghether with the user addition) is started as well
11:56 UTC - Production rolling restart is terminated
12:11 UTC - Test cluster rolling restart is terminated
12:13 UTC - Dropped user on the test cluster
12:16 UTC - Dropped user on the production cluster

12:31 UTC - default cassandra password changed in test cluster T113622
12:44 UTC - default cassandra password changed in production cluster T113622
also note that due to how puppet is used (one 'cassandra' role) the password is shared among test and production cluster, will followup in T113622

I feel like restbase is experimental enough that anyone using it is probably on wikitech/mediawiki-l, and announcing there once the patch has been merged would be enough (like we do for many extensions). But @GWicke, feel free to propose something else, if there's a better way to reach users.

We should figure out the desired process for services in general and update https://www.mediawiki.org/wiki/Reporting_security_bugs.

Reedy added a subscriber: Mdann52.

This was reported to OTRS too, with https://en.wikipedia.org/api/rest_v1/?path=....//....//....//....//....//....//....//....//etc/passwd&doc= as the example url

{"type":"https://restbase.org/errors/internal_error","method":"get","detail":"Error: ENOENT: no such file or directory, open '/srv/deployment/restbase/deploy/node_modules/swagger-ui/dist/..../..../..../..../..../..../..../..../etc/passwd'","uri":"/en.wikipedia.org/v1/"}

Looks like the fix is maybe not sufficient, and results in path disclosure. Not so much of an issue on WMF wikis, but would be for third parties :)

Note the OTRS ticket was sent in " Created: 16/01/2016 15:27 ", so this may have already been caught with the other patch

Neal let us know that the original reporter to HackerOne was https://hackerone.com/psych0tr1a. The OTRS report was from Yurij Seregin. Both had identical PoC urls. It's unknown if those are the same person, or both happened to find the issue simultaneously.

This issue is fixed in RESTBase 0.9.2, which has been released today.

csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 20 2016, 10:45 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 20 2016, 10:45 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a subscriber: Luke081515. · View Herald Transcript
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 20 2016, 10:54 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
Reedy changed Security from Software security bug to None.