[Bugs] [Bug 1779276] tests/00-geo-rep/00-georep-verify-non-root-setup.t open server to trivial root compromise

bugzilla at redhat.com bugzilla at redhat.com
Thu Dec 5 12:03:30 UTC 2019


https://bugzilla.redhat.com/show_bug.cgi?id=1779276



--- Comment #6 from M. Scherer <mscherer at redhat.com> ---
That's not trivial indeed.
If we take one of the range of amazon, that's a /9. If I take a /24 (cause I do
not have the time to do a full scan of amazon range, even if tools like
massscan exist) and scan for the openssh version in Centos 7 (public
information, that's in the name of the job, etc), it get down to 18 IPs out of
255. Then you can scan those 18, and remove everything with a port open that is
not ssh (a public information, since our ansible playbook are public, and we
open the firewall only for this port). It return 1 single IP on the range I
tested, which was our builder. 

But using a range where I know there is a builder is kinda cheating, so I did
increase that to a /22. Still gave a single result, our builder. It took 10 to
15 minutes to run from my laptop, and there is a room for lots of optimisation.
For a start, this could be searched in advance, since our builders seldomly
change their IP as we do not reinstall them (since that's a open task on the
TODO list). So a regular scan could see what IP do persist.

To see how much filtering could be done, I tested with a /20. It found 3
matchs, 1 being our builder. Out of the 2 others, 1 add a banner that would
exclude the IP from the pool, and the other was virtually indistinguishable
from the one of our builder. So I would say that by scanning a /20, we can find
2 matchs. I suspect that looking at
https://ip-ranges.amazonaws.com/ip-ranges.json, a attacker also restrict the
range to the US ones, and even on US-east DC, since that's what make sense
given our jenkins location.

So while I am not going to do the math for that, and while it is indeed not
trivial to the get the IP (I checked quickly the builder log, only internal IP
is leaked in env vars, and there isn't much on jenkins side either that could
be exploited for that either), it is also not impossible with enough time to
have enough IPs to test them repeatedly during the few minutes of opportunity.
Now, of course, the venn driagram of people who can do that and those who are
interested to do that is quite small (like, I would personally if I was a evil
guy and not already root on the servers).

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the Bugs mailing list