duplicity-team team mailing list archive

Thread
Date

Re: [Bug 1520691] Re: Shell Code Injection in hsi backend

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: edso <1520691@xxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Nov 2015 20:13:21 -0000
Reply-to: Bug 1520691 <1520691@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On 30.11.2015 20:34, Bernd Dietzel wrote:
> @edso
> This depends on the program witch we call.
> We can not check all of the possible parameter combinations if they lead to a leak.
> So we do not want to have the arguments out of our hands.

well, most (if not all) legacy command lines start with a word, so
parameter issues sound merely academic from a security point of view.

having written that i realise, there might be corner cases leading to
sensitive files read/overwritten files when run as root, when the client
binary fails to parse params correctly, that might be worth the effort
to manually patch each and every backend affected.

> @Kenneth
> Why do we put the commands into a long string and afterwards "hopefully" spilt them again ?
> We should put them directly into a commandlist at the point we still know what was what.
> This would make it easy again ;-)
> 

there is the "ominous" we agn. ;) patching every backend is a lot of
effort and some "ominous" somebody needs to find the time to hack the
solution. are you volunteering?

..ede/duply.net

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691

Title:
   Shell Code Injection in hsi backend

Status in Duplicity:
  Fix Committed

Bug description:
  https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103

  The "hsi" backend of duplicity is vulnerabe to code injections.

  It uses os.popen3() with should be replaced with subprocess.Popen().

  Thank you.

  File :
  -------
  /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

  This is the function witch is vulnerable :
  ------------------------------------------------------------
      def _list(self):
          commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
          l = os.popen3(commandline)[2].readlines()[3:]

  Exploit Demo :
  ============

  On the Terminal type in :

  $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

  --> This will start the program xeyes , but should not.

  I attached a screenshot of the exploit demo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions

References

[Bug 1520691] Re: Shell Code Injection in hsi backend
From: Bernd Dietzel, 2015-11-30