22. CVE-2007-5741
Original release date:11/07/2007
Last revised:09/05/2008
Source: US-CERT/NIST
Overview
Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to
execute arbitrary Python code via network data
containing pickled objects for the (1) statusmessages or (2) linkintegrity
module, which the module unpickles and executes.
29. Bad Example: Sendmail (1990s)
from network Sendmail* to network
to |command**
to /file/name**
local submission /bin/mail* executed as recipient
local delivery * uses root privileges
** in ~/.forward files
owned by recipient mailbox file and in /etc/aliases
30. Good Example: Postfix
Compartmentalization
smtp smtp
smtp
client internet
internet smtpd
server
smtpd
client
smtpd unprivileged
unprivileged unprivileged
other
programs local mailbox
local smtpd
delivery |command
pickup smtpd /file/name
unprivileged privileged
(local submission) queue to external uucp
directories smtpd
transports fax
= root privilege
smtpd pager
= postfix privilege privileged
31. Good Example: Postfix
Compartmentalization
smtp smtp
smtp
client internet
internet smtpd
server
smtpd
client
smtpd unprivileged
unprivileged unprivileged
other
programs local mailbox
local smtpd
delivery |command
pickup smtpd /file/name
unprivileged privileged
(local submission) queue to external uucp
directories smtpd
transports fax
= root privilege
smtpd pager
= postfix privilege privileged
72. Privileged Ports
Evil Zope ZEO
(also 8080) (8100)
Evil Dude
Your Server
(2032) DO (1001) NE
H .1 + . 4 + .5 (2536) PLEASE FORGET #1
PLEASE STAS (2036) PLEASE FORG
(30 10) ) NEXT DO :5 <- quot;'?quot;:1~'
PLEA SE DO (1020 2~'#65535$#0'quot;' #65535$#0'quot;$quot;: DO .5 <- '?.
DO .2 <- #0 DO .5 <- '?quot;
~'#0$#65535'quot;$quot;'?
DO . 3 <- #2 1~'#0$#65535'quot;$quot;: quot;: 5'$#32768quot;~quot;#0$#6553
2~'#0$ quot;.5
DO .4 <- .1 #65535'quot;'~'#0$#65
DO ( 3012) NEXT DO .5 <- '?quot;'"': 535'quot; DO (2034) NEXT
EXT
(30 11) DO (1001) N 5quot;~quot;#65535$ 2~:5'~'quot;'?quot;'?quot;:5~
: DO .5 <- .3
ET #1
(30 12) PLEASE FORG DO (1010) NEXT
DO (3000) N
EXT
#2'~#3 #65535quot;'~'#65535$#0'quot;$#3 PLEASE DO .1 <-
1~#256quot;$ DO .3 <- 'V
DO .5 <- '?quot;?. 'quot; 2768'~'#0$#65535
DO (3013) N
EXT
?. DO (2035) NEXT
65535~quot;' $quot;'?quot;:5~: PLEASE DO (
DO .5 <- '?quot;'# 5quot;~quot;#65535$#65535 (2034)
quot;$#1'~#3 quot;'~'#0$#65535'quot;' DO FORGET #
1$# 10'~ #21845quot;'~#1 quot;$quot;':5~:5'~#1quot;'~# (2035)
DO (3013) NEXT DO (2534) NEXT 1quot;$#2'~#3 DO .5 <- quot;?'.4~
DO .5 <- .1 DO :5 <- :3 DO (2031) NEXT
.2~#65
76. WebServerAuth
a PluggableAuthService plugin
Redirects to HTTPS
(Challenge)
77. WebServerAuth
a PluggableAuthService plugin
Redirects to HTTPS
(Challenge)
Makes Zope believe the username header
(Extraction, Authentication)
78. WebServerAuth
a PluggableAuthService plugin
Redirects to HTTPS
(Challenge)
Makes Zope believe the username header
(Extraction, Authentication)
Makes PAS behave
(User Enumerator)
80. WebServerAuth
a PluggableAuthService plugin
<VirtualHost *:443>
ServerName www.example.com
# Prompt for authentication:
<Location />
SSLRequireSSL
AuthType Basic
AuthName quot;My Funky Web Sitequot;
AuthUserFile /etc/such-and-such
# (etc.)
Require valid-user
81. WebServerAuth
a PluggableAuthService plugin
# Put the username (stored below) into the HTTP_X_REMOTE_USER
# request header. This has to be in the <Location> block for
# some Apache auth modules, such as PubCookie, which don't set
# REMOTE_USER until very late.
RequestHeader set X_REMOTE_USER %{remoteUser}e
</Location>
# Do the typical VirtualHostMonster rewrite, adding an E= option
# that puts the Apache-provided username into the remoteUser
# variable.
RewriteEngine On
RewriteRule ^/(.*)$ http://127.0.0.1:81/VirtualHostBase/https/
%{SERVER_NAME}:443/VirtualHostRoot/
$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
</VirtualHost>
95. Questions?
Steve McMahon Erik Rose
Steve@dcn.org ErikRose@psu.edu
Image Credits
• Reactor defense in depth: • Sendmail and Postfix architecture diagrams:
http://www.nea.fr/html/brief/images/br-8-1.gif The Postfix mail server as a secure
programming example, Wietse Venema
• Gate: Nuclear Power Plant Dungeness - Corey
IBM T.J. Watson Research Center
Holms 2008, CC Attribution
• The Scream: Edvard Munk
• Locks on door: Kansir, flikr, CC attribution
license • Shrug: spamily, flikr, CC by A
• What me worry? Rev. Voodoo, flikr, CC • Zope Pope photo: MrTopf
Attribution, NC
• PB&J photo: Northern Miniatures
• BSD Daemon: Created by Poul-Henning
• Other photos: Wikimedia Commons
Kamp
• INTERCAL Numerical I/O lib: Brian Raiter
• No Right Turn: greefus groinks' photostream,
CC Attribution • Crown jewels of Denmark: King Christian IV
97. WebServerAuth
Advantages over apachepas + AutoMemberMaker
Redirects to HTTPS
No user clutter
Member and Authenticated roles are
distinct
Sets up Log In link for you
Better test coverage; death to doctests
One product, not two