MintNanny Executes Code in Domain Name Strings

Bug #1460835 reported by Bernd Dietzel on 2015-06-01
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linux Mint
Fix Released
Undecided
Unassigned

Bug Description

File :
/usr/lib/linuxmint/mintNanny/mintNanny.py

The functions add_domain and remove_domain can execute Shell Commands.

See attached demo screenshot for a "remove_domain" exploid wich starts xterm as root.

Here are the functions wich use the old os.system() commands wich can be easy attacked with an bad domain name string :

------------

def add_domain(widget, treeview_domains):
 name = commands.getoutput("/usr/lib/linuxmint/common/entrydialog.py '" + _("Please type the domain name you want to block") + "' '" + _("Domain name:") + "' '' 'mintNanny' 2> /dev/null")
 domain = name.strip()
 if domain != '':
  model = treeview_domains.get_model()
  iter = model.insert_before(None, None)
  model.set_value(iter, 0, domain)
  domain = "127.0.0.1 " + domain + " # blocked by mintNanny"
  os.system("echo \"" + domain + "\" >> /etc/hosts")

def remove_domain(widget, treeview_domains):
 selection = treeview_domains.get_selection()
 (model, iter) = selection.get_selected()
 if (iter != None):
  domain = model.get_value(iter, 0)
  os.system("sed '/" + domain + "/ d' /etc/hosts > /tmp/hosts.mintNanny")
  os.system("mv /tmp/hosts.mintNanny /etc/hosts")
  model.remove(iter)

-----

Please replace all os.system() calls from all your python scripts and replace with subprocess.Popen().
Do the same with commands.getoutput() and commands.getstatusoutput() ... and so on.

To find a list of possible vulnerable python files on LinuxMint you can use e.g. this command :
sudo find / -name "*.py" -type f -exec grep -in -B 2 -A 2 "os.system(" {} + > list.txt

Thank you :-)

Bernd Dietzel (l-ubuntuone1104) wrote :
Bernd Dietzel (l-ubuntuone1104) wrote :

An other Exploid Demo :

If you try to block the following Link then the program "xterm" be will run as root :

https://bugs.launchpad.net/linuxmint/+bug/1460835/$(xterm)#

information type: Private Security → Public Security
Bernd Dietzel (l-ubuntuone1104) wrote :

My Patch to fix the shell injections

Changed in linuxmint:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments