You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello! I found a potential risk in the start-word2pdf when I deployed it in the Alibaba Cloud Serverless Application Center. The service of the application has the role of excessive permission. A malicious can leverage the permission of "oss:*" for * resources to attack the OSS which may cause information leakage.
Details Analysis
After the application was deployed, it created a service named fc-libreoffice-ltsu. This service has a function named word2pdf, which inherits the role of the fc-libreoffice-ltsu service. This role has the AliyunOSSFullAccess policy and the policy has the permission of "oss:*" for * resources. The action has no restriction on resources while using * directly. So a malicious user who controls this function can attack the OSS by leveraging this permission. In the end, he/she can do whatever he/she wants to do on the OSS.
Attack Scenario
Assuming such an attack scenario, in a company, there are two employees Bob and Alice, and the company has an Alibaba Cloud account. The two employees are two RAM users in the account. Bob's RAM user only has the relevant permissions for Function Compute while he doesn't have any permission for the OSS, and Alice's RAM user has administrator permissions. Alice has created the start-word2pdf application through the serverless application center in the account. In that way, Bob can use the permissions related to Function Compute to obtain the AccessKeyID, AccessKeySecret, and SecurityToken of the role used by the service in the start-word2pdf, thereby causing Bob to have the * permissions for the buckets and other services in the OSS. Bob can use it to steal the sensitive information in the company account.
Mitigation Discussion
The resources of the permission "oss:*" should be restricted by using the specified resource name.
Question
Is it a real issue in the start-word2pdf?
If it's a real issue, can any of my suggestions be used to solve this problem?
If my suggestions could be used to solve this problem, could you give me a CVE number to award my discovery?
By the way, I have sent an email to [email protected] according to your CONTRIBUTING.md, but it said the email doesn't exist. So I have to raise an issue to report this issue to you. I apologize for any inconvenience caused to you.
The text was updated successfully, but these errors were encountered:
Hello! I found a potential risk in the start-word2pdf when I deployed it in the Alibaba Cloud Serverless Application Center. The service of the application has the role of excessive permission. A malicious can leverage the permission of "oss:*" for * resources to attack the OSS which may cause information leakage.
Details Analysis
After the application was deployed, it created a service named fc-libreoffice-ltsu. This service has a function named word2pdf, which inherits the role of the fc-libreoffice-ltsu service. This role has the AliyunOSSFullAccess policy and the policy has the permission of "oss:*" for * resources. The action has no restriction on resources while using * directly. So a malicious user who controls this function can attack the OSS by leveraging this permission. In the end, he/she can do whatever he/she wants to do on the OSS.
Attack Scenario
Assuming such an attack scenario, in a company, there are two employees Bob and Alice, and the company has an Alibaba Cloud account. The two employees are two RAM users in the account. Bob's RAM user only has the relevant permissions for Function Compute while he doesn't have any permission for the OSS, and Alice's RAM user has administrator permissions. Alice has created the start-word2pdf application through the serverless application center in the account. In that way, Bob can use the permissions related to Function Compute to obtain the AccessKeyID, AccessKeySecret, and SecurityToken of the role used by the service in the start-word2pdf, thereby causing Bob to have the * permissions for the buckets and other services in the OSS. Bob can use it to steal the sensitive information in the company account.
Mitigation Discussion
The resources of the permission "oss:*" should be restricted by using the specified resource name.
Question
By the way, I have sent an email to [email protected] according to your CONTRIBUTING.md, but it said the email doesn't exist. So I have to raise an issue to report this issue to you. I apologize for any inconvenience caused to you.
The text was updated successfully, but these errors were encountered: