desktop-packages team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to duplicity in Ubuntu.
https://bugs.launchpad.net/bugs/1519103

Title:
  Shell Code Injection in hsi backend

Status in duplicity package in Ubuntu:
  New

Bug description:
  The "hsi" backend of duplicity is vulnerabe to code injections.

  It uses os.popen3() with should be replaced with subprocess.Popen().

  Thank you.

  
  File :
  -------
  /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

  This is the function witch is vulnerable :
  ------------------------------------------------------------
      def _list(self):
          commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
          l = os.popen3(commandline)[2].readlines()[3:]

  
  Exploit Demo :
  ============

  On the Terminal type in :

  $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

  
  --> This will start the program xeyes , but should not.

  I attached a screenshot of the exploit demo.

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: duplicity 0.7.02-1ubuntu1
  ProcVersionSignature: Ubuntu 4.2.0-18.22-generic 4.2.3
  Uname: Linux 4.2.0-18-generic x86_64
  ApportVersion: 2.19.1-0ubuntu5
  Architecture: amd64
  CurrentDesktop: MATE
  Date: Mon Nov 23 22:09:23 2015
  InstallationDate: Installed on 2015-11-13 (9 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
  SourcePackage: duplicity
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103/+subscriptions