duplicity-team team mailing list archive

Thread
Date

Re: [Bug 1520691] Re: Shell Code Injection in hsi backend

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: Kenneth Loafman <kenneth@xxxxxxxxxxx>
Date: Wed, 02 Dec 2015 21:12:33 -0000
Reply-to: Bug 1520691 <1520691@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

When you build the commandline in duplicity you have full control of what
you put in.  Not sure what you mean.


On Wed, Dec 2, 2015 at 2:01 PM, Bernd Dietzel <1520691@xxxxxxxxxxxxxxxxxx>
wrote:

> This is why i do not like to give the arguments out of my hands.
> A parameter may start any program, like rsync starts firefox or xmessage :
>
> duplicity 'rsync://x/ --rsh="xmessage "' ~/t
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1520691
>
> Title:
>    Shell Code Injection in hsi backend
>
> Status in Duplicity:
>   Fix Committed
>
> Bug description:
>   https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103
>
>   The "hsi" backend of duplicity is vulnerabe to code injections.
>
>   It uses os.popen3() with should be replaced with subprocess.Popen().
>
>   Thank you.
>
>   File :
>   -------
>   /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py
>
>   This is the function witch is vulnerable :
>   ------------------------------------------------------------
>       def _list(self):
>           commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
>           l = os.popen3(commandline)[2].readlines()[3:]
>
>   Exploit Demo :
>   ============
>
>   On the Terminal type in :
>
>   $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug
>
>   --> This will start the program xeyes , but should not.
>
>   I attached a screenshot of the exploit demo.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions
>

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691

Title:
   Shell Code Injection in hsi backend

Status in Duplicity:
  Fix Committed

Bug description:
  https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103

  The "hsi" backend of duplicity is vulnerabe to code injections.

  It uses os.popen3() with should be replaced with subprocess.Popen().

  Thank you.

  File :
  -------
  /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

  This is the function witch is vulnerable :
  ------------------------------------------------------------
      def _list(self):
          commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
          l = os.popen3(commandline)[2].readlines()[3:]

  Exploit Demo :
  ============

  On the Terminal type in :

  $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

  --> This will start the program xeyes , but should not.

  I attached a screenshot of the exploit demo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions

References

[Bug 1520691] Re: Shell Code Injection in hsi backend
From: Bernd Dietzel, 2015-12-02