duplicity-team team mailing list archive
-
duplicity-team team
-
Mailing list archive
-
Message #03287
[Bug 1520691] Re: Shell Code Injection in hsi backend
wrt. to your video.
https://youtu.be/A5ol7bO_scQ
we are d'accord that there is a possibility that the parameter might
contain an unwanted parameter. but as duplicity command lines are create
by the user and _not_ an attacker it is in the user's purview to make
sure the target url is proper.
there is no ui to my knowledge for duplicity that's browses a backend
and let's the user pick a possibly malicious path.
having written all that - please come up with an attack based on the backends file naming
or
please accept that this is going to stand as long as nobody finds time to tackle it
or
ideally just fix it yourself and provide patches or a branch!
so long.. ede/duply.net
--
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691
Title:
Shell Code Injection in hsi backend
Status in Duplicity:
Fix Committed
Bug description:
https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103
The "hsi" backend of duplicity is vulnerabe to code injections.
It uses os.popen3() with should be replaced with subprocess.Popen().
Thank you.
File :
-------
/usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py
This is the function witch is vulnerable :
------------------------------------------------------------
def _list(self):
commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
l = os.popen3(commandline)[2].readlines()[3:]
Exploit Demo :
============
On the Terminal type in :
$ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug
--> This will start the program xeyes , but should not.
I attached a screenshot of the exploit demo.
To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions