Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A potential risk in the start-word2pdf can be used to attack the OSS bucktes. #809

Open
zolaer9527 opened this issue Apr 1, 2024 · 2 comments
Open

A potential risk in the start-word2pdf can be used to attack the OSS bucktes. #809

zolaer9527 opened this issue Apr 1, 2024 · 2 comments
Assignees
@heimanba
Labels
bug Something isn't working

Comments

@zolaer9527
Copy link

Hello! I found a potential risk in the start-word2pdf when I deployed it in the Alibaba Cloud Serverless Application Center. The service of the application has the role of excessive permission. A malicious can leverage the permission of "oss:*" for * resources to attack the OSS which may cause information leakage.

Details Analysis
After the application was deployed, it created a service named fc-libreoffice-ltsu. This service has a function named word2pdf, which inherits the role of the fc-libreoffice-ltsu service. This role has the AliyunOSSFullAccess policy and the policy has the permission of "oss:*" for * resources. The action has no restriction on resources while using * directly. So a malicious user who controls this function can attack the OSS by leveraging this permission. In the end, he/she can do whatever he/she wants to do on the OSS.

Attack Scenario
Assuming such an attack scenario, in a company, there are two employees Bob and Alice, and the company has an Alibaba Cloud account. The two employees are two RAM users in the account. Bob's RAM user only has the relevant permissions for Function Compute while he doesn't have any permission for the OSS, and Alice's RAM user has administrator permissions. Alice has created the start-word2pdf application through the serverless application center in the account. In that way, Bob can use the permissions related to Function Compute to obtain the AccessKeyID, AccessKeySecret, and SecurityToken of the role used by the service in the start-word2pdf, thereby causing Bob to have the * permissions for the buckets and other services in the OSS. Bob can use it to steal the sensitive information in the company account.

Mitigation Discussion
The resources of the permission "oss:*" should be restricted by using the specified resource name.

Question

  1. Is it a real issue in the start-word2pdf?
  2. If it's a real issue, can any of my suggestions be used to solve this problem?
  3. If my suggestions could be used to solve this problem, could you give me a CVE number to award my discovery?

By the way, I have sent an email to [email protected] according to your CONTRIBUTING.md, but it said the email doesn't exist. So I have to raise an issue to report this issue to you. I apologize for any inconvenience caused to you.
@zolaer9527 zolaer9527 added the bug Something isn't working label Apr 1, 2024
@zolaer9527
Copy link
Author

Hello, are there any updates?

@zxypro1
Copy link
Collaborator

zxypro1 commented Apr 8, 2024

@lowkeyrd Please check. Also, for Alibaba Cloud issues, its better to report via aliyun.com website.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@heimanba heimanba

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@heimanba @zxypro1 @zolaer9527