Ubuntu
apt-offline package

Possible Shell Command Injection

Bug #1509835 reported by Bernd Dietzel
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt-offline (Ubuntu)
Incomplete
Undecided
SYEDFAYAZ MUJAWAR

Bug Description

Because of this os.system call in AptOfflineCoreLib.py

x = os.system("%s %s %s %s" % (self.gpgv, self.opts, signature_file, signed_file) )

the python script is vulnerable to shell command injections in 4 ways.

1. if there is a shell command in the path, for example /tmp/$(xterm)/gpgv/
2. in the "keyring" text
3. in the name of the "signature file"
4. in the name of the "signed_file", for example ;xmessage hello;#.gpg

i attached a patch for this

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: apt-offline 1.6.1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu3
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Oct 25 17:06:11 2015
InstallationDate: Installed on 2015-10-09 (15 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
PackageArchitecture: all
SourcePackage: apt-offline
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch for AptOfflineCoreLib.py" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Bernd Dietzel (l-ubuntuone1104)
information type: Public → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in apt-offline (Ubuntu):
status: New → Incomplete
Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

My patch was accepted by Mr. Sarraf and fixed in apt-offline upstream repo.
https://github.com/rickysarraf/apt-offline/blob/master/apt_offline_core/AptOfflineCoreLib.py

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

my demo exploit video (german)
https://www.youtube.com/watch?v=QGAjwKF5d3w

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

My improved Patch Nr. 2

SYEDFAYAZ MUJAWAR (syedfayaz28)
Changed in apt-offline (Ubuntu):
assignee: nobody → SYEDFAYAZ MUJAWAR (syedfayaz28)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.