When you build the commandline in duplicity you have full control of what
you put in. Not sure what you mean.
On Wed, Dec 2, 2015 at 2:01 PM, Bernd Dietzel <email address hidden>
wrote:
> This is why i do not like to give the arguments out of my hands.
> A parameter may start any program, like rsync starts firefox or xmessage :
>
> duplicity 'rsync://x/ --rsh="xmessage "' ~/t
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1520691
>
> Title:
> Shell Code Injection in hsi backend
>
> Status in Duplicity:
> Fix Committed
>
> Bug description:
> https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103
>
> The "hsi" backend of duplicity is vulnerabe to code injections.
>
> It uses os.popen3() with should be replaced with subprocess.Popen().
>
> Thank you.
>
> File :
> -------
> /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py
>
> This is the function witch is vulnerable :
> ------------------------------------------------------------
> def _list(self):
> commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
> l = os.popen3(commandline)[2].readlines()[3:]
>
> Exploit Demo :
> ============
>
> On the Terminal type in :
>
> $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug
>
> --> This will start the program xeyes , but should not.
>
> I attached a screenshot of the exploit demo.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions
>
When you build the commandline in duplicity you have full control of what
you put in. Not sure what you mean.
On Wed, Dec 2, 2015 at 2:01 PM, Bernd Dietzel <email address hidden>
wrote:
> This is why i do not like to give the arguments out of my hands. /bugs.launchpad .net/bugs/ 1520691 /bugs.launchpad .net/ubuntu/ +source/ duplicity/ +bug/1519103 python2. 7/dist- packages/ duplicity/ backends/ hsibackend. py ------- ------- ------- ------- ------- ------- ------- ---- commandline) [2].readlines( )[3:] bug/";xeyes; "/test/ ' /tmp/bug /bugs.launchpad .net/duplicity/ +bug/1520691/ +subscriptions
> A parameter may start any program, like rsync starts firefox or xmessage :
>
> duplicity 'rsync://x/ --rsh="xmessage "' ~/t
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https:/
>
> Title:
> Shell Code Injection in hsi backend
>
> Status in Duplicity:
> Fix Committed
>
> Bug description:
> https:/
>
> The "hsi" backend of duplicity is vulnerabe to code injections.
>
> It uses os.popen3() with should be replaced with subprocess.Popen().
>
> Thank you.
>
> File :
> -------
> /usr/lib/
>
> This is the function witch is vulnerable :
> -------
> def _list(self):
> commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
> l = os.popen3(
>
> Exploit Demo :
> ============
>
> On the Terminal type in :
>
> $ duplicity 'hsi://
>
> --> This will start the program xeyes , but should not.
>
> I attached a screenshot of the exploit demo.
>
> To manage notifications about this bug go to:
> https:/
>