Описание
Glances has a Command Injection via Process Names in Action Command Templates
Summary
The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., {{name}}, {{key}}) that are populated with runtime monitoring data. The secure_popen() function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to subprocess.Popen(shell=False). When a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands.
Details
The action execution flow:
- Admin configures an action in glances.conf (documented feature):
- When the threshold is exceeded, the plugin model renders the template with runtime stats (glances/plugins/plugin/model.py:943):
-
The mustache_dict contains the full stat dictionary, including user-controllable fields like process name, filesystem mnt_point, container name, etc. (glances/plugins/plugin/model.py:920-943).
-
In glances/actions.py:77-78, the Mustache library renders the template:
- The rendered command is passed to secure_popen() (glances/actions.py:84):
The secure_popen vulnerability (glances/secure.py:17-30):
And __secure_popen() (glances/secure.py:33-77) splits by > and | then calls Popen(sub_cmd_split, shell=False) for each segment. The function splits the ENTIRE command string (including Mustache-rendered user data) by &&, >, and | characters, then executes each segment as a separate subprocess.
Additionally, the redirect handler at line 69-72 writes to arbitrary file paths:
PoC
Scenario 1: Command injection via pipe in process name
Scenario 2: Command chain via && in container name
Impact
-
Arbitrary command execution: An attacker who can control a process name, container name, filesystem mount point, or other monitored entity name can execute arbitrary commands as the Glances process user (often root).
-
Privilege escalation: If Glances runs as root (common for full system monitoring), a low-privileged user who can create processes can escalate to root.
-
Arbitrary file write: The > redirect handling in secure_popen enables writing arbitrary content to arbitrary file paths.
-
Preconditions: Requires admin-configured action templates referencing user-controllable fields + attacker ability to run processes on monitored system.
Recommended Fix
Sanitize Mustache-rendered values before secure_popen processes them:
Пакеты
Glances
< 4.5.2
4.5.2
Связанные уязвимости
(Glances is an open-source system cross-platform monitoring tool. The G ...)
Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.
Glances is an open-source system cross-platform monitoring tool. The G ...