duplicity-team team mailing list archive

Thread
Date

Re: [Bug 1520691] Re: Shell Code Injection in hsi backend

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: edso <1520691@xxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Nov 2015 10:22:26 -0000
Reply-to: Bug 1520691 <1520691@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On 29.11.2015 17:34, Aaron Whitehouse wrote:
> Looks like we should move away from shell=True ASAP.
> 
> https://docs.python.org/2/library/subprocess.html#frequently-used-arguments
> "Warning 
> Executing shell commands that incorporate unsanitized input from an untrusted source makes a program vulnerable to shell injection, a serious security flaw which can result in arbitrary command execution. For this reason, the use of shell=True is strongly discouraged in cases where the command string is constructed from external input [...]"
> 

that's going to be some effort. we have several backends utilizing shell
binaries and at least ftp has a similar issue.

btw. how is ist the GpgInterface dealing with this? 
 https://bazaar.launchpad.net/~duplicity-team/duplicity/0.7-series/view/head:/duplicity/gpginterface.py
theoretically it should have a similar attack surface but it seems to utilize os.execvp(command[0], command) which seems to have no shell injection issues, as no shell is used.
this guy seems to have dug up how subprocess.call() actually uses os.execvp() internally.
 http://blog.littleimpact.de/index.php/2008/08/11/avoiding-shell-injection-in-ruby-python-and-php/

in summary i'd agree that switching shell=False for subprocess calls should do the trick. 
ages ago i tried to streamline subprocess usage by adding Backend.subprocess_popen(). reworking all backends to use it and just fix it there should suffice. obviously it will need to be given a list of arguments with a fixed arg[0] run command in that case ;)

..ede/duply.net

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691

Title:
   Shell Code Injection in hsi backend

Status in Duplicity:
  In Progress

Bug description:
  https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103

  The "hsi" backend of duplicity is vulnerabe to code injections.

  It uses os.popen3() with should be replaced with subprocess.Popen().

  Thank you.

  File :
  -------
  /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

  This is the function witch is vulnerable :
  ------------------------------------------------------------
      def _list(self):
          commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
          l = os.popen3(commandline)[2].readlines()[3:]

  Exploit Demo :
  ============

  On the Terminal type in :

  $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

  --> This will start the program xeyes , but should not.

  I attached a screenshot of the exploit demo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions

References

[Bug 1520691] Re: Shell Code Injection in hsi backend
From: Aaron Whitehouse, 2015-11-29