duplicity-team team mailing list archive

Thread
Date

Re: [Bug 1520691] Re: Shell Code Injection in hsi backend

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: edso <1520691@xxxxxxxxxxxxxxxxxx>
Date: Mon, 28 Dec 2015 00:11:59 -0000
Reply-to: Bug 1520691 <1520691@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On 27.12.2015 19:35, Bernd Dietzel wrote:
> Demo what may happen when someone does a copy and paste of an FTPS Path.
> https://youtu.be/LeA6W3s-Q80
> 

of course you replicated the issue with the latest 0.7.06 release before
complaining in length via video, right?

in 0.7.06 lftp simply chokes on it. feel free to open another bug to fix
the lftp backend wrt that.

..ede/duply.net

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1520691

Title:
   Shell Code Injection in hsi backend

Status in Duplicity:
  Fix Released

Bug description:
  https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103

  The "hsi" backend of duplicity is vulnerabe to code injections.

  It uses os.popen3() with should be replaced with subprocess.Popen().

  Thank you.

  File :
  -------
  /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py

  This is the function witch is vulnerable :
  ------------------------------------------------------------
      def _list(self):
          commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
          l = os.popen3(commandline)[2].readlines()[3:]

  Exploit Demo :
  ============

  On the Terminal type in :

  $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug

  --> This will start the program xeyes , but should not.

  I attached a screenshot of the exploit demo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions

References

[Bug 1520691] Re: Shell Code Injection in hsi backend
From: Bernd Dietzel, 2015-12-27