duplicity-team team mailing list archive

[edso <1520691@xxxxxxxxxxxxxxxxxx>]

On 30.11.2015 23:05, Kenneth Loafman wrote:
> The whole idea of shell code injection implies bad player access, which is
> the issue that should be most important to close.

we backup to potentially insecure backends. that's what the encryption
is for ;).. in theory a malicious party could fiddle with the file names
on the backend and i am pretty sure no one tested this possibility with
shell based backends so far wrt. shell injections.

so actually, disagreed. but as usual, it will be done if somebody does
it ;) not earlier.

btw. python pexpect seems to shlex.split() too if it isn't provided a list of arguments
 https://github.com/pexpect/pexpect/blob/master/pexpect/popen_spawn.py#L42

..ede/duply.net

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691

Title:
   Shell Code Injection in hsi backend

Status in Duplicity:
  Fix Committed

Bug description:
  https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103

  The "hsi" backend of duplicity is vulnerabe to code injections.

  It uses os.popen3() with should be replaced with subprocess.Popen().

  Thank you.

  File :
  -------
  /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

  This is the function witch is vulnerable :
  ------------------------------------------------------------
      def _list(self):
          commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
          l = os.popen3(commandline)[2].readlines()[3:]

  Exploit Demo :
  ============

  On the Terminal type in :

  $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

  --> This will start the program xeyes , but should not.

  I attached a screenshot of the exploit demo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions