Potential security flaw with puppet and export resources

When using puppet exported resources, an administrator should always keep in mind the way the are defined. For those not familiar with puppet (a configuration management tool), exported resources are resources declared in a global store than can then be collected by other nodes.

For example, you might declare for everyhost a “backup” resource that will be collected on the backup server to create the required directories and access. That way you will not have to declare each host on the backup server.

These resources are stored by the puppet master. This means that a compromised server cannot add arbitrary exported resources to your store. However, there are potential problems with resources built from facts, as they are controlled by the node.

In the case of the backup sample, a malicious attacker could send a forged “fqdn” fact such as “../arbitrary/directory” and thus have its file layout created in an arbitrary place.

You can test this like that :

wget  --certificate=mycert.pem --private-key=mykey.pem 
"https://puppet:8140/production/catalog/my.fqdn.stuff?facts_format=b64_zlib_yaml&facts=`cat facts`" 
--no-check-certificate --header='Accept: yaml'

You can get the “facts” file content by reading your access.log. In order to read it, you must, with php :

<% gzuncompress(base64_decode(urldecode(urldecode(file_get_contents('facts'))))); %>

One thought on “Potential security flaw with puppet and export resources

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s