duplicity-team team mailing list archive
-
duplicity-team team
-
Mailing list archive
-
Message #03277
Re: [Bug 1520691] Re: Shell Code Injection in hsi backend
When you build the commandline in duplicity you have full control of what
you put in. Not sure what you mean.
On Wed, Dec 2, 2015 at 2:01 PM, Bernd Dietzel <1520691@xxxxxxxxxxxxxxxxxx>
wrote:
> This is why i do not like to give the arguments out of my hands.
> A parameter may start any program, like rsync starts firefox or xmessage :
>
> duplicity 'rsync://x/ --rsh="xmessage "' ~/t
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1520691
>
> Title:
> Shell Code Injection in hsi backend
>
> Status in Duplicity:
> Fix Committed
>
> Bug description:
> https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103
>
> The "hsi" backend of duplicity is vulnerabe to code injections.
>
> It uses os.popen3() with should be replaced with subprocess.Popen().
>
> Thank you.
>
> File :
> -------
> /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py
>
> This is the function witch is vulnerable :
> ------------------------------------------------------------
> def _list(self):
> commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
> l = os.popen3(commandline)[2].readlines()[3:]
>
> Exploit Demo :
> ============
>
> On the Terminal type in :
>
> $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug
>
> --> This will start the program xeyes , but should not.
>
> I attached a screenshot of the exploit demo.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions
>
--
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691
Title:
Shell Code Injection in hsi backend
Status in Duplicity:
Fix Committed
Bug description:
https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103
The "hsi" backend of duplicity is vulnerabe to code injections.
It uses os.popen3() with should be replaced with subprocess.Popen().
Thank you.
File :
-------
/usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py
This is the function witch is vulnerable :
------------------------------------------------------------
def _list(self):
commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
l = os.popen3(commandline)[2].readlines()[3:]
Exploit Demo :
============
On the Terminal type in :
$ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug
--> This will start the program xeyes , but should not.
I attached a screenshot of the exploit demo.
To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions
References