duplicity-team team mailing list archive

Thread
Date

[Bug 1520691] [NEW] Shell Code Injection in hsi backend

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1520691@xxxxxxxxxxxxxxxxxx>
Date: Sun, 29 Nov 2015 13:33:00 -0000
Reply-to: Bug 1520691 <1520691@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

You have been subscribed to a private security bug by Kenneth Loafman (kenneth-loafman):

https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103

The "hsi" backend of duplicity is vulnerabe to code injections.

It uses os.popen3() with should be replaced with subprocess.Popen().

Thank you.

File :
-------
/usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

This is the function witch is vulnerable :
------------------------------------------------------------
    def _list(self):
        commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
        l = os.popen3(commandline)[2].readlines()[3:]

Exploit Demo :
============

On the Terminal type in :

$ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

--> This will start the program xeyes , but should not.

I attached a screenshot of the exploit demo.

** Affects: duplicity
     Importance: Medium
     Assignee: Kenneth Loafman (kenneth-loafman)
         Status: In Progress

-- 
 Shell Code Injection in hsi backend
https://bugs.launchpad.net/bugs/1520691
You received this bug notification because you are a member of duplicity-team, which is subscribed to the bug report.