MintBackup executes Code when package_dest Path contains Shell commands
Bug #1462313 reported by
Bernd Dietzel
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Linux Mint |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
File :
/usr/lib/
Line :
1465
Code :
os.system("chmod a+rw " + os.path.
Exploid Demo : ... if "self.package_dest" is a path like this :
/tmp/;xterm #/backup/
... the program xterm will be launched as root when you try to save a package selection backup to this path.
this is bacause ";xterm;" contains the shell comamnd char ";" wich will make xterm be executed by os.system.
If the destionation path is on an external drive or internet share with a path name in the hands of other people,
this can be a security issure.
Please do not use os.system anywhere.
Thanks ;-)
| description: | updated |
Revision history for this message
| Bernd Dietzel (l-ubuntuone1104) wrote | #1 |
| information type: | Private Security → Public Security |
Revision history for this message
| Bernd Dietzel (l-ubuntuone1104) wrote | #2 |
| summary: |
- MinBackup executes Code when package_dest Path contains Shell commands + MintBackup executes Code when package_dest Path contains Shell commands |
Revision history for this message
| Bernd Dietzel (l-ubuntuone1104) wrote | #3 |
Revision history for this message
| Bernd Dietzel (l-ubuntuone1104) wrote | #4 |
| Changed in linuxmint: | |
| status: | New → Fix Released |
To post a comment you must log in.
Another Exploid Demo :
=======
I could make the root folder read+Executefor ALL !!! users simply trick somene to use this Backup Path :
/home/theregrun
where theregrunner is my user name.
The folder "test " has as space at the end , thats important and leads to the privilige escalation
The text `endez-vous avec Ocean of Tears ` is just a camouflage to hide the root folder Path.
-->the charater ` tells the shell to start the Programm "endez-vous" .... it is not there ... so result is an empty string.
this leads to this :
os.system("chmod a+rx " + self.package_dest)
os.system("chmod a+rx /home/theregrun
===> os.system("chmod a+rx /home/theregrun
the space in the test folder name makes chmod to modify two Paths, not only one , and this is equal as this two commands :
chmod a+rx /home/theregrun
chmod a+rx /root/
so before we had :
ls -al
drwx------ 13 root root 4096 Jun 3 22:16 root ( before )
and now wie have a privilege escalation :
ls -al
drwxr-xr-x 13 root root 4096 Jun 3 22:16 root
And now where are really in an Ocean of Tears :-((
by the way .. i now the spelling of the french word was not correct but nessesary for the attack demo to work ;-)