duplicity-team team mailing list archive

Thread
Date

[Bug 1520691] Re: Shell Code Injection in hsi backend

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: Kenneth Loafman <kenneth@xxxxxxxxxxx>
Date: Sat, 12 Dec 2015 11:19:59 -0000
Reply-to: Bug 1520691 <1520691@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I think you are flogging a dead horse.  As far as I can tell, it's not
possible to detect intentional shell injection, and still allow all the
chars in the filename that Linux does.  You have some clever examples,
but what's lacking is any suggestion on how to spot shell injections.

The lftp example is good, but that's in lftp itself.  Since duplicity
requires a path and a url, the commandline would be invalid.

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691

Title:
   Shell Code Injection in hsi backend

Status in Duplicity:
  Fix Released

Bug description:
  https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103

  The "hsi" backend of duplicity is vulnerabe to code injections.

  It uses os.popen3() with should be replaced with subprocess.Popen().

  Thank you.

  File :
  -------
  /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

  This is the function witch is vulnerable :
  ------------------------------------------------------------
      def _list(self):
          commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
          l = os.popen3(commandline)[2].readlines()[3:]

  Exploit Demo :
  ============

  On the Terminal type in :

  $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

  --> This will start the program xeyes , but should not.

  I attached a screenshot of the exploit demo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions