python-foomatic command injection.

Bug #811119 reported by David
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
foomatic-filters-ppds
Invalid
Undecided
Unassigned
foomatic-gui (Ubuntu)
Fix Released
High
Unassigned

Bug Description

The "/usr/lib/python2.6/dist-packages/foomatic/pysmb.py" script which is part of python-foomatic (foomatic-gui depends on this apparently :/) appears that it maybe vulnerable to command injection.
I suspect this because it does _not_ escape the value of a host's 'netbios name' nor the 'workgroup' / domain of the network on line ~118 [0] in the function get_printer_list. I have not checked but I believe this script may be used in the foomatic-gui :/

You can test against the script by doing the following:
#1 install samba
#2 add netbios name = oh'notquotezSIF to /etc/samba/smb.conf
#3 restart samba
#4 run "python /usr/lib/python2.6/dist-packages/foomatic/pysmb.py"

[0] - for l in os.popen (str, 'r'):

David (d--)
affects: launchpad → foomatic-filters-ppds
Changed in foomatic-filters-ppds:
status: New → Invalid
David (d--)
description: updated
description: updated
David (d--)
description: updated
Revision history for this message
David (d--) wrote :

By replacing a bunch of strupper_m function calls in source3/nmbd/ with strlower_m I was able to get /usr/bin/nmblookup to output 'lowercase' netbios and workgroup names.

Revision history for this message
David (d--) wrote :

(** in the ubuntu samba package source code).

Revision history for this message
David (d--) wrote :

So now that I managed to get a 'lower case netbios name' - I decided to make my 'attacker' vm's netbios name '&reboot&'. Then on the 'victim' I opened foomatic-gui (via sudo) and attempted to 'discover remote printers' (after a little bit --> the "discover" code checks for tcp printers first see /usr/lib/python2.6/dist-packages/foomatic/detect.py 445 [0] ) the victim vm rebooted :)

[0] -
(remote_detect = [
    detect_tcp_printers,
    detect_smb_printers,
    ]
)

David (d--)
summary: - python-foomatic Possible command injection.
+ python-foomatic command injection.
description: updated
David (d--)
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in foomatic-gui (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

[Updating] foomatic-gui (0.7.9.4 [Ubuntu] < 0.7.9.5 [Debian])
 * Trying to add foomatic-gui...
2011-09-01 17:31:27 INFO - <foomatic-gui_0.7.9.5.dsc: downloading from http://ftp.debian.org/debian/>
2011-09-01 17:31:27 INFO - <foomatic-gui_0.7.9.5.tar.gz: downloading from http://ftp.debian.org/debian/>
I: foomatic-gui [universe] -> foomatic-gui_0.7.9.4 [universe].
I: foomatic-gui [universe] -> printconf_0.7.9.4 [universe].
I: foomatic-gui [universe] -> python-foomatic_0.7.9.4 [universe].

Changed in foomatic-gui (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers