python-foomatic command injection.

Bug #811119 reported by David on 2011-07-15
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
foomatic-filters-ppds
Invalid
Undecided
Unassigned
foomatic-gui (Ubuntu)
High
Unassigned

Bug Description

The "/usr/lib/python2.6/dist-packages/foomatic/pysmb.py" script which is part of python-foomatic (foomatic-gui depends on this apparently :/) appears that it maybe vulnerable to command injection.
I suspect this because it does _not_ escape the value of a host's 'netbios name' nor the 'workgroup' / domain of the network on line ~118 [0] in the function get_printer_list. I have not checked but I believe this script may be used in the foomatic-gui :/

You can test against the script by doing the following:
#1 install samba
#2 add netbios name = oh'notquotezSIF to /etc/samba/smb.conf
#3 restart samba
#4 run "python /usr/lib/python2.6/dist-packages/foomatic/pysmb.py"

[0] - for l in os.popen (str, 'r'):

David (d--) on 2011-07-15
affects: launchpad → foomatic-filters-ppds
Changed in foomatic-filters-ppds:
status: New → Invalid
David (d--) on 2011-07-15
description: updated
description: updated
David (d--) on 2011-07-15
description: updated
David (d--) wrote :

By replacing a bunch of strupper_m function calls in source3/nmbd/ with strlower_m I was able to get /usr/bin/nmblookup to output 'lowercase' netbios and workgroup names.

David (d--) wrote :

(** in the ubuntu samba package source code).

David (d--) wrote :

So now that I managed to get a 'lower case netbios name' - I decided to make my 'attacker' vm's netbios name '&reboot&'. Then on the 'victim' I opened foomatic-gui (via sudo) and attempted to 'discover remote printers' (after a little bit --> the "discover" code checks for tcp printers first see /usr/lib/python2.6/dist-packages/foomatic/detect.py 445 [0] ) the victim vm rebooted :)

[0] -
(remote_detect = [
    detect_tcp_printers,
    detect_smb_printers,
    ]
)

David (d--) on 2011-07-30
summary: - python-foomatic Possible command injection.
+ python-foomatic command injection.
description: updated
David (d--) on 2011-07-30
visibility: private → public
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in foomatic-gui (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Jamie Strandboge (jdstrand) wrote :

[Updating] foomatic-gui (0.7.9.4 [Ubuntu] < 0.7.9.5 [Debian])
 * Trying to add foomatic-gui...
2011-09-01 17:31:27 INFO - <foomatic-gui_0.7.9.5.dsc: downloading from http://ftp.debian.org/debian/>
2011-09-01 17:31:27 INFO - <foomatic-gui_0.7.9.5.tar.gz: downloading from http://ftp.debian.org/debian/>
I: foomatic-gui [universe] -> foomatic-gui_0.7.9.4 [universe].
I: foomatic-gui [universe] -> printconf_0.7.9.4 [universe].
I: foomatic-gui [universe] -> python-foomatic_0.7.9.4 [universe].

Changed in foomatic-gui (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers