This is just a PoC for showing possible security issues in the AutoYaST ERB template test client.
- https://trello.com/c/WXIAHpB2/2064-5-add-a-test-client-for-ay-erb-templates
- yast/yast-autoinstallation#696
- SUSE/doc-sle#658
The ERB templates can contain any Ruby code which is executed during evaluation. ERB can contain a backtick operator to execute any code as root.
<% `rm -rf /` %>The problem is that the code is executed with the root permissions.
(Actually even running as non-root is still a problem, a malicious script
could steal you private data like private SSH keys, GPG keys,...)
With ERB you can do very nasty tricks, like using backspace characters (0x08)
in a comment to hide some content.
See the attached nasty.xml.erb example.
If you for viewing the file use a tool which does not escape control characters you might see just some innocent content like this:
# cat nasty.xml.erb
<?xml version="1.0"?>
<!DOCTYPE profile>
<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns">
<general>
<mode>
<% puts "test" %><confirm config:type="boolean">true</confirm>
</mode>
</general>
</profile>But in reality the file contains a hidden command which gets executed... nasty.xml.erb example file below.
You can try it with command
/usr/sbin/yast2 autoyast check-profile filename=nasty.xml.erbNote: Do not worry, this example is really safe. 😉
Maybe we should always warn the usetr to not use XML files from not trusted sources without auditing the them first. We should probably ask the user for confirmation before running the validation. And possibly display the input file with special control chatacters escaped.