Duplicity

Bug #1520691
Comment #14

Comment 14 for bug 1520691

Revision history for this message

Kenneth Loafman (kenneth-loafman) wrote on 2015-11-30: Re: [Duplicity-team] [Bug 1520691] Re: Shell Code Injection in hsi backend

#14

I needed arg[0] to replace partial path with full path and shlex was the
only way to do this easily.

It also parses the commandline the way the shell would, so a legal split.
Your example will be reconstructed in Popen as

"program ls -l /tmp --help"

which is weird, but probably legal in most cases.

I thought about doing it with a simple split(), but that would run out
something like

'/usr/bin/odd dir with spaces/program' ls /tmp

so I went with something that is supposed to work.

Basically, the problem goes from simple to absurdly complex in a real hurry.

On Mon, Nov 30, 2015 at 12:18 PM, edso <email address hidden> wrote:

> On 30.11.2015 18:45, Bernd Dietzel wrote:
> > I'm not happy with shlex.split.
> > It could split the commandline into unwanted additional arguments.
> >
> > Example with a unwanted help argument in a path :
> >
> > theregrunner@PC:~$ python
> > Python 2.7.10 (default, Oct 14 2015, 16:09:02)
> > [GCC 5.2.1 20151010] on linux2
> > Type "help", "copyright", "credits" or "license" for more information.
> >>>> commandline = '%s "ls -l %s"' % ('program' , '/tmp/" "--help')
> >>>> commandline
> > 'program "ls -l /tmp/" "--help"'
> >>>> import shlex
> >>>> args = shlex.split(commandline)
> >>>> args
> > ['program', 'ls -l /tmp/', '--help']
> >>>>
>
> can you see a security implication? worst case afaics is breakage.
>
> actually backends had to have the parameters properly quoted already.
> if not they wouldn't work with spaces or other special chars. not sure
> that all were tested against these corner cases though.
>
> ..ede/duply.net
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1520691
>
> Title:
> Shell Code Injection in hsi backend
>
> Status in Duplicity:
> Fix Committed
>
> Bug description:
> https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103
>
> The "hsi" backend of duplicity is vulnerabe to code injections.
>
> It uses os.popen3() with should be replaced with subprocess.Popen().
>
> Thank you.
>
> File :
> -------
> /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py
>
> This is the function witch is vulnerable :
> ------------------------------------------------------------
> def _list(self):
> commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
> l = os.popen3(commandline)[2].readlines()[3:]
>
> Exploit Demo :
> ============
>
> On the Terminal type in :
>
> $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug
>
> --> This will start the program xeyes , but should not.
>
> I attached a screenshot of the exploit demo.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions
>

I needed arg[0] to replace partial path with full path and shlex was the
only way to do this easily.

It also parses the commandline the way the shell would, so a legal split.
Your example will be reconstructed in Popen as

"program ls -l /tmp --help"

which is weird, but probably legal in most cases.

I thought about doing it with a simple split(), but that would run out
something like

'/usr/bin/odd dir with spaces/program' ls /tmp

so I went with something that is supposed to work.

Basically, the problem goes from simple to absurdly complex in a real hurry.

On Mon, Nov 30, 2015 at 12:18 PM, edso <1520691@bugs.launchpad.net> wrote:

> On 30.11.2015 18:45, Bernd Dietzel wrote:
> > I'm not happy with shlex.split.
> > It could split the commandline  into unwanted additional arguments.
> >
> > Example with a unwanted help argument in a path :
> >
> > theregrunner@PC:~$ python
> > Python 2.7.10 (default, Oct 14 2015, 16:09:02)
> > [GCC 5.2.1 20151010] on linux2
> > Type "help", "copyright", "credits" or "license" for more information.
> >>>> commandline = '%s "ls -l %s"' % ('program' , '/tmp/" "--help')
> >>>> commandline
> > 'program "ls -l /tmp/" "--help"'
> >>>> import shlex
> >>>> args = shlex.split(commandline)
> >>>> args
> > ['program', 'ls -l /tmp/', '--help']
> >>>>
>
> can you see a security implication? worst case afaics is breakage.
>
>  actually backends had to have the parameters properly quoted already.
> if not they wouldn't work with spaces or other special chars. not sure
> that all were tested against these corner cases though.
>
> ..ede/duply.net
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1520691
>
> Title:
>    Shell Code Injection in hsi backend
>
> Status in Duplicity:
>   Fix Committed
>
> Bug description:
>   https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103
>
>   The "hsi" backend of duplicity is vulnerabe to code injections.
>
>   It uses os.popen3() with should be replaced with subprocess.Popen().
>
>   Thank you.
>
>   File :
>   -------
>   /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py
>
>   This is the function witch is vulnerable :
>   ------------------------------------------------------------
>       def _list(self):
>           commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
>           l = os.popen3(commandline)[2].readlines()[3:]
>
>   Exploit Demo :
>   ============
>
>   On the Terminal type in :
>
>   $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug
>
>   --> This will start the program xeyes , but should not.
>
>   I attached a screenshot of the exploit demo.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions
>