← Back to team overview

duplicity-team team mailing list archive

  1. duplicity-team team
  2. Mailing list archive
  3. Message #03264

Re: [Bug 1520691] Re: Shell Code Injection in hsi backend

  Thread PreviousDate PreviousThread Next 
On 30.11.2015 22:11, Bernd Dietzel wrote:
> @edso
>> ... so parameter issues sound merely academic from a security point of view. ...
> 
> Not so academic as you think , i could for example exploit the program Gufw with the legal parameter "disable" so the firewall went off,  witch was not wanted and not shown in the gui.  

provided you manage "Gufw" to be executed which at least now is much harder, maybe impossible, would have to check all backends to determine.
  
>> ... there is the "ominous" we agn. ;) ....
> 
> I used "we should ... " because it sounds so hard if i say "you have made some mistake" ... ;-)

well, how would you know if we wrote that part anyhow ;) might have been
the original author or some contributor years ago. in these cases i like
to stick the matter at hand. eg. "there is a mistake/error because"

the "ominous" we is like it's siblings.. this "no one" who is
responsible and the "some one" who should do something about it. we
should be used if you are a part of that group and only then ;)

> I can help patching, but i found more than 30 Shell Injections in
other python scripts , so ... you are not the only ones ;-)

at least you understand that we are a very small team with jobs and this
spare-time activity, so if something does not happen instantly or at all
that's usually because the lack of time.

> My buglist where you can find some inspiration how the other ones fixed their bugs
> https://bugs.launchpad.net/~l-ubuntuone1104/+bugs?orderby=-importance&start=0
> 

thanks, will have a look.

..ede/duply.net

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691

Title:
   Shell Code Injection in hsi backend

Status in Duplicity:
  Fix Committed

Bug description:
  https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103

  The "hsi" backend of duplicity is vulnerabe to code injections.

  It uses os.popen3() with should be replaced with subprocess.Popen().

  Thank you.

  File :
  -------
  /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

  This is the function witch is vulnerable :
  ------------------------------------------------------------
      def _list(self):
          commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
          l = os.popen3(commandline)[2].readlines()[3:]

  Exploit Demo :
  ============

  On the Terminal type in :

  $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

  --> This will start the program xeyes , but should not.

  I attached a screenshot of the exploit demo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions

References

  Thread PreviousDate PreviousThread Next