duplicity-team team mailing list archive

Thread
Date

Re: [Bug 1520691] Re: Shell Code Injection in hsi backend

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: edso <1520691@xxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Nov 2015 18:18:09 -0000
Reply-to: Bug 1520691 <1520691@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On 30.11.2015 18:45, Bernd Dietzel wrote:
> I'm not happy with shlex.split.
> It could split the commandline  into unwanted additional arguments.
> 
> Example with a unwanted help argument in a path :
> 
> theregrunner@PC:~$ python
> Python 2.7.10 (default, Oct 14 2015, 16:09:02) 
> [GCC 5.2.1 20151010] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
>>>> commandline = '%s "ls -l %s"' % ('program' , '/tmp/" "--help')
>>>> commandline
> 'program "ls -l /tmp/" "--help"'
>>>> import shlex
>>>> args = shlex.split(commandline)
>>>> args
> ['program', 'ls -l /tmp/', '--help']
>>>>

can you see a security implication? worst case afaics is breakage.

 actually backends had to have the parameters properly quoted already.
if not they wouldn't work with spaces or other special chars. not sure
that all were tested against these corner cases though.

..ede/duply.net

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691

Title:
   Shell Code Injection in hsi backend

Status in Duplicity:
  Fix Committed

Bug description:
  https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103

  The "hsi" backend of duplicity is vulnerabe to code injections.

  It uses os.popen3() with should be replaced with subprocess.Popen().

  Thank you.

  File :
  -------
  /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

  This is the function witch is vulnerable :
  ------------------------------------------------------------
      def _list(self):
          commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
          l = os.popen3(commandline)[2].readlines()[3:]

  Exploit Demo :
  ============

  On the Terminal type in :

  $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

  --> This will start the program xeyes , but should not.

  I attached a screenshot of the exploit demo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions

Follow ups

Re: [Bug 1520691] Re: Shell Code Injection in hsi backend
From: Kenneth Loafman, 2015-11-30

References

[Bug 1520691] Re: Shell Code Injection in hsi backend
From: Bernd Dietzel, 2015-11-30