duplicity-team team mailing list archive

Thread
Date

Re: [Bug 1520691] Re: Shell Code Injection in hsi backend

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: Kenneth Loafman <kenneth@xxxxxxxxxxx>
Date: Wed, 02 Dec 2015 13:35:08 -0000
Reply-to: Bug 1520691 <1520691@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

No attack, but it does something odd...

---- normal run ---
ken@stealth:~$ rm -f /tmp/testdup/*; duplicity full -v9 ~/bin
'rsync://stealth///tmp/testdup'
ken@stealth:~$ ll /tmp/testdup
total 72
-rw------- 1 ken ken   834 Dec  2 07:13
duplicity-full.20151202T131324Z.manifest.gpg
-rw------- 1 ken ken 56942 Dec  2 07:13
duplicity-full.20151202T131324Z.vol1.difftar.gpg
-rw------- 1 ken ken 10628 Dec  2 07:13
duplicity-full-signatures.20151202T131324Z.sigtar.gpg

--- funny run ---
ken@stealth:~$ rm -f /tmp/testdup/*; duplicity full -v9 ~/bin
'rsync://stealth///tmp/testdup --log-file=xxx'
ken@stealth:~$ ll /tmp/testdup
total 72
-rw------- 1 ken ken   833 Dec  2 07:16
duplicity-full.20151202T131620Z.manifest.gpg
-rw------- 1 ken ken 10628 Dec  2 07:16
duplicity-full-signatures.20151202T131620Z.sigtar.gpg
-rw------- 1 ken ken 56942 Dec  2 07:16 mktemp-xaTcaB-2   <== contains the
missing difftar contents.

So, something is going on, but what is currently unknown.  The xxx log file
was never created, so no attack.  It's possible it may have been created in
one of the temp dirs, but not on the system.


On Wed, Dec 2, 2015 at 6:33 AM, edso <1520691@xxxxxxxxxxxxxxxxxx> wrote:

> On 01.12.2015 22:44, Bernd Dietzel wrote:
> > second test :
> >
> >  use the path
> >
> > /tmp/ --log-file=xxx
> >
>
> 1. can you provide a proper command line that illustrates a problem?
> along the lines of 'duplicity /local/path rsync://'
>
> 2. this would be a simple bug, but no security issue. actually what you
> describe is legally possible with duplicity by using the parameter
> --rsync-options.
>
> if you can come up w/ an attack where the filenames on the backend were
> maliciously modified in a way that exploits a locally run duplicity,
> than you'd have me convinced instantly.
>
> ..ede/duply.net
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1520691
>
> Title:
>    Shell Code Injection in hsi backend
>
> Status in Duplicity:
>   Fix Committed
>
> Bug description:
>   https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103
>
>   The "hsi" backend of duplicity is vulnerabe to code injections.
>
>   It uses os.popen3() with should be replaced with subprocess.Popen().
>
>   Thank you.
>
>   File :
>   -------
>   /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py
>
>   This is the function witch is vulnerable :
>   ------------------------------------------------------------
>       def _list(self):
>           commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
>           l = os.popen3(commandline)[2].readlines()[3:]
>
>   Exploit Demo :
>   ============
>
>   On the Terminal type in :
>
>   $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug
>
>   --> This will start the program xeyes , but should not.
>
>   I attached a screenshot of the exploit demo.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions
>

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691

Title:
   Shell Code Injection in hsi backend

Status in Duplicity:
  Fix Committed

Bug description:
  https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103

  The "hsi" backend of duplicity is vulnerabe to code injections.

  It uses os.popen3() with should be replaced with subprocess.Popen().

  Thank you.

  File :
  -------
  /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

  This is the function witch is vulnerable :
  ------------------------------------------------------------
      def _list(self):
          commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
          l = os.popen3(commandline)[2].readlines()[3:]

  Exploit Demo :
  ============

  On the Terminal type in :

  $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

  --> This will start the program xeyes , but should not.

  I attached a screenshot of the exploit demo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions

References

[Bug 1520691] Re: Shell Code Injection in hsi backend
From: Bernd Dietzel, 2015-12-01
Re: [Bug 1520691] Re: Shell Code Injection in hsi backend
From: edso, 2015-12-02