Page MenuHomePhabricator
Create Task
Maniphest T124731

proxylistener does not verify that request comes from Tools project
Closed, InvalidPublic
Actions

Description

While working on proxymanager I noticed that proxylistener does not verify that a request originates from the Tools project. This allows project administrators in Labs who set up (custom) ident servers to manipulate all proxy forwards for https://tools.wmflabs.org/. But this is so unlikely and there is so little to gain from that that I think low priority is appropriate for this.

With the new DNS scheme, it's (relatively) easy to verify that an IP belongs to the Toolforge project:

  1. Look up the PTR record for the IP: 10.68.17.49tools-exec-1201.tools.eqiad.wmflabs.
  2. Check that the host name ends in .$labsproject.eqiad.wmflabs.
  3. Look up the A record for the host name: tools-exec-1201.tools.eqiad.wmflabs10.68.17.49.
  4. Check that both IPs are the same.

proxymanager currently has the same fault.

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Jan 26 2016, 1:11 AM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 26 2016, 1:11 AM
scfc created this task.Jan 26 2016, 1:11 AM
scfc triaged this task as Low priority.
scfc updated the task description. (Show Details)
scfc added projects: Toolforge, acl*security.
scfc moved this task to Ready to be worked on on the Toolforge board.
scfc changed Security from None to Software security bug.
scfc edited subscribers, added: scfc; removed: Aklapper.
Restricted Application added a project: Cloud-Services. · View Herald TranscriptJan 26 2016, 1:11 AM
Bawolff moved this task from Backlog / Other to Operational issues on the acl*security board.Jul 10 2016, 6:01 PM
yuvipanda subscribed.Aug 5 2016, 7:01 PM

I've manually put in place a ferm rule and disabled puppet now on tools-proxy-01, since we've disabled security groups (kinda) due to https://phabricator.wikimedia.org/T142165 just now.

scfc added a comment.Jan 30 2017, 5:51 AM

When I filed this task, I was confused about the way OpenStack handles incoming connections. By default, no connections at all are let through. It is only by virtue of the "default" security group (in Toolforge and other Labs projects) that intra-project communication is allowed, as this security group allows all traffic from other instances in the (same) "default" security group. This "default" security group covers all ports, including port 8282 for proxylistener. Instances in other projects cannot reach port 8282 (proved by tests).

What I am unsure about ATM is how Kubernetes interacts with this. I tried:

tools.templatecheck@interactive:~$ php
<?php
echo(file_get_contents("http://tools-proxy-01.tools.eqiad.wmflabs/list"));
PHP Warning:  file_get_contents(http://tools-proxy-01.tools.eqiad.wmflabs/list): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden
 in - on line 2
tools.templatecheck@interactive:~$ php
<?php
echo(file_get_contents("http://tools.wmflabs.org"));
PHP Warning:  file_get_contents(http://tools.wmflabs.org): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden
 in - on line 2
tools.templatecheck@interactive:~$

to see if I can see an access request on tools-proxy-01, but probably PHP's use-URLs-as-filenames is disabled? So I need try to this again to see if these requests go through OpenStack's firewall.

If Kubernetes offers no attack vector, then this task could be un-securitied and then closed as invalid. Additionally, we might think about amending the security groups so that instances in the webproxy security group only allow access to port 8282 from instances in the, hmmm, execnode security group?

scfc added a comment.Jan 31 2017, 10:06 PM

I don't know why I did not try a simple curl :-). When I webservice php5.6 shell and then curl http://tools-proxy-01/does-not-exist, this hits the proxy as:

10.68.23.240 - - [31/Jan/2017:21:56:27 +0000] "GET /does-not-exist HTTP/1.1" 404 1409 "-" "curl/7.38.0"

10.68.23.240 is the IP of tools-worker-1003.tools.eqiad.wmflabs, i. e. proxylistener would contact the trustworthy ident server on tools-worker-1003 and not one on the user-controlled containers. Therefore I think Kubernetes does not offer any attack vector.

So this task can be un-securitied and then closed as invalid. Thanks and sorry for the confusion!

chasemp closed this task as Invalid.Mar 17 2017, 1:13 PM
chasemp changed the visibility from "Custom Policy" to "Public (No Login Required)".
chasemp changed the edit policy from "Custom Policy" to "All Users".
chasemp subscribed.
In T124731#2987981, @scfc wrote:

I don't know why I did not try a simple curl :-). When I webservice php5.6 shell and then curl http://tools-proxy-01/does-not-exist, this hits the proxy as:

10.68.23.240 - - [31/Jan/2017:21:56:27 +0000] "GET /does-not-exist HTTP/1.1" 404 1409 "-" "curl/7.38.0"

10.68.23.240 is the IP of tools-worker-1003.tools.eqiad.wmflabs, i. e. proxylistener would contact the trustworthy ident server on tools-worker-1003 and not one on the user-controlled containers. Therefore I think Kubernetes does not offer any attack vector.

So this task can be un-securitied and then closed as invalid. Thanks and sorry for the confusion!

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:44 PM
chasemp edited projects, added Security; removed Cloud-Services.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits