duplicity-team team mailing list archive
-
duplicity-team team
-
Mailing list archive
-
Message #03286
[Bug 1520691] Re: Shell Code Injection in hsi backend
not at all. rsync --rsh="binary" is a feature. if you are complaining
that rsync runs another binary feel free to complain to the rsync devs.
you should consider consulting rsync manpage first about what --rsh is
meant for though.
and eventually - this is no exploit. it's merely a parsing bug which
should of course be fixed, when time allows.
as i wrote earlier
"
if you can come up w/ an attack where the filenames on the backend were maliciously modified in a way that exploits a locally run duplicity, than you'd have me convinced instantly.
"
happy hunting.. ede/duply.net
--
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691
Title:
Shell Code Injection in hsi backend
Status in Duplicity:
Fix Committed
Bug description:
https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103
The "hsi" backend of duplicity is vulnerabe to code injections.
It uses os.popen3() with should be replaced with subprocess.Popen().
Thank you.
File :
-------
/usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py
This is the function witch is vulnerable :
------------------------------------------------------------
def _list(self):
commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
l = os.popen3(commandline)[2].readlines()[3:]
Exploit Demo :
============
On the Terminal type in :
$ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug
--> This will start the program xeyes , but should not.
I attached a screenshot of the exploit demo.
To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions
