← Back to team overview

duplicity-team team mailing list archive

  1. duplicity-team team
  2. Mailing list archive
  3. Message #03262

Re: [Bug 1520691] Re: Shell Code Injection in hsi backend

  Thread PreviousDate PreviousThread Next 
The way it is implemented now will probably not be exploitable and will
probably work correctly as long as users behave rationally.  Exploits
depending on multiple statements being executed in one command will not
work.  Other exploits are possible, I'm sure, but not through shell code
injection.

The whole idea of shell code injection implies bad player access, which is
the issue that should be most important to close.


On Mon, Nov 30, 2015 at 3:11 PM, Bernd Dietzel <1520691@xxxxxxxxxxxxxxxxxx>
wrote:

> @edso
> > ... so parameter issues sound merely academic from a security point of
> view. ...
>
> Not so academic as you think , i could for example exploit the program
> Gufw with the legal parameter "disable" so the firewall went off,  witch
> was not wanted and not shown in the gui.
>
> > ... there is the "ominous" we agn. ;) ....
>
> I used "we should ... " because it sounds so hard if i say "you have made
> some mistake" ... ;-)
> I can help patching, but i found more than 30 Shell Injections in other
> python scripts , so ... you are not the only ones ;-)
> My buglist where you can find some inspiration how the other ones fixed
> their bugs
>
> https://bugs.launchpad.net/~l-ubuntuone1104/+bugs?orderby=-importance&start=0
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1520691
>
> Title:
>    Shell Code Injection in hsi backend
>
> Status in Duplicity:
>   Fix Committed
>
> Bug description:
>   https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103
>
>   The "hsi" backend of duplicity is vulnerabe to code injections.
>
>   It uses os.popen3() with should be replaced with subprocess.Popen().
>
>   Thank you.
>
>   File :
>   -------
>   /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py
>
>   This is the function witch is vulnerable :
>   ------------------------------------------------------------
>       def _list(self):
>           commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
>           l = os.popen3(commandline)[2].readlines()[3:]
>
>   Exploit Demo :
>   ============
>
>   On the Terminal type in :
>
>   $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug
>
>   --> This will start the program xeyes , but should not.
>
>   I attached a screenshot of the exploit demo.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions
>

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691

Title:
   Shell Code Injection in hsi backend

Status in Duplicity:
  Fix Committed

Bug description:
  https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103

  The "hsi" backend of duplicity is vulnerabe to code injections.

  It uses os.popen3() with should be replaced with subprocess.Popen().

  Thank you.

  File :
  -------
  /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

  This is the function witch is vulnerable :
  ------------------------------------------------------------
      def _list(self):
          commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
          l = os.popen3(commandline)[2].readlines()[3:]

  Exploit Demo :
  ============

  On the Terminal type in :

  $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

  --> This will start the program xeyes , but should not.

  I attached a screenshot of the exploit demo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next