Shell Code Injection in hsi backend
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| duplicity (Ubuntu) |
Confirmed
|
High
|
Unassigned | ||
Bug Description
The "hsi" backend of duplicity is vulnerabe to code injections.
It uses os.popen3() with should be replaced with subprocess.Popen().
Thank you.
File :
-------
/usr/lib/
This is the function witch is vulnerable :
-------
def _list(self):
commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir)
l = os.popen3(
Exploit Demo :
============
On the Terminal type in :
$ duplicity 'hsi://
--> This will start the program xeyes , but should not.
I attached a screenshot of the exploit demo.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: duplicity 0.7.02-1ubuntu1
ProcVersionSign
Uname: Linux 4.2.0-18-generic x86_64
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
CurrentDesktop: MATE
Date: Mon Nov 23 22:09:23 2015
InstallationDate: Installed on 2015-11-13 (9 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: duplicity
UpgradeStatus: No upgrade log present (probably fresh install)
| Bernd Dietzel (l-ubuntuone1104) wrote | #1 |
| Marc Deslauriers (mdeslaur) wrote | #2 |
| Bernd Dietzel (l-ubuntuone1104) wrote | #3 |
| information type: | Private Security → Public Security |
| Changed in duplicity (Ubuntu): | |
| status: | New → Confirmed |
| Kenneth Loafman (kenneth-loafman) wrote | #4 |
| tags: | added: xenial yakkety zesty |
| Changed in duplicity (Ubuntu): | |
| importance: | Undecided → High |
| tags: | removed: wily yakkety zesty |
Thanks for reporting this issue. Have you reported it to the duplicity developers?
If not, please report it to them in their bug tracker here:
https:/
and link the bug to this one.
Thanks!