Possible Shell Command Injection in daemon

Same issues in :
/usr/share/unity-scopes/audacious/unity_audacious_daemon.py
/usr/share/unity-scopes/guayadeque/unity_guayadeque_daemon.py
/usr/share/unity-scopes/clementine/unity_clementine_daemon.py
/usr/share/unity-scopes/musique/unity_musique_daemon.py

I attached a Clementine Scope Exploid Screenshot Demo

Exploid Demo Video (german)
https://www.youtube.com/watch?v=JrP7B6CIOMQ

Bernd, thank you for this report and excellent demonstrations. More to come later.

If the shell command can be injected seems only depend on how the Musikplayers store their data.

The Gmusicbrowser Unity Scope seems to be lucky because the gmusicbrowser player changes special chars in the name before it stores it in his database.

The Audacious Scope and Clementine Scope are not so lucky.

I attached a screenshot where you can see the differences.

All these tools used unsafe APIs and need drastic re-working regardless of specific database mitigations.

Thanks

I attached a patch for unity_clementine_daemon.py wich should solve the problem using subprocess

The attachment "unity_clementine_daemon_patch.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Better patch attached for the clementine unity scope Python script.

1) I use subprocess.Popen() this time instead of the simple subprocess.call() before.
2) Should now handle albumtracks in a better way because its a list of strings.
3) Clementime gives you now a error message on playing a file when shell commands are in the filename.
4) A Folder Path with Shell Commands in the pathname will not be injected and not opened.

... could someone check it please ?

@David
Did you noticed that the albumtracks are a list and not a simple string ?
Have a look on my "Better patch for unity_clementine_daemon.py" on comment #10

The clementine patch appears to address the shell injection but does not address UTF-8 crashes nor SQL injections.

The gourmet patch appears to address the SQL injection but does not address the predictable /tmp/ filenames, potential cross-site scripting issues due to use of unquoted HTML, and the preview's localisation is still broken.

The audacious patch appears to address the shell injection -- but Bernd points out that it may not function if multiple tracks are selected -- and does not address the 'database' file descriptor leak.

The gmusicbrowser patch appears to address the shell injection -- but Bernd points out that it may not function if multiple tracks are selected -- and does not address the 'filename' file descriptor leak.

The musique patch appears to address both the shell injection and SQL injection issues. It does not address UTF-8 crashes.

The guayadeque patch appears to address the shell injection and SQL injections -- but Bernd points out that it may not function if multiple tracks are selected. It does not address UTF-8 crashes.

Thanks

My new Clementine Patch.
I had a look on the other patches to fix the SQL injections.
Fixed utf8 decoding to crash with try and except.
Hope it works. Please test.

@David
shotwell , firefoxbookmarks, chromiumbookmarks and zotero scope may be checked for sql injections, too.

Example : Some code of the shotwell scope :
sql='select * from PhotoTable where filename = \"'+filename+'\"'

For a Shotwell Scope SQL injection Demo , i attached a screenshot.
Code can be injected with a file name in the function getPhotoForUri.

Demonstration:
a) rename some picture like this

xx " UNION SELECT 1,'2','Hello','World',5,6,7,8,9,10,11,12,'13','14','15',16,17,18,19,20,21,22,23,24,'25',26,27,28,29 -- ".png

b) start shotwell and ensure the picture gets into the shotwell database
c) close shotwell
d) Search for xx in the Unity Dash and click on the picture
e) Have look at the picture dimensions and the size. It reads "Hello x World Pixels", size : 5.0b.
     This is only a harmles demo. Other things may happen like crashes or code execution.

Hi David - Can you take a look at Seth's feedback in comment 17 and then update your patches accordingly? Thanks!

New patch for unity_audacious_daemon.py
with better handling of multiple tracks

@Seth , you Comment 17 :

I had a look on audacious the db-file access :

    for collection in os.listdir(AUDACIOUS_DBFILE):
        dbfile = '%s/%s' % (AUDACIOUS_DBFILE, collection)
        database = open(dbfile, "r")
        database = database.read()
        if not database.startswith("title:Library"):
            records = database[14:]
            records = records.split("uri=")
        else:
            records = ""

What i can see are some bugs like this :

1) On my PC, the Database entry is not english "title:Library", but in my language "title=Sammlung" , notice it is written with "=" not with ":"
2) So "records = database[14:]" should be somewhat like "records = database[5:]"
3) There is no filter to use files with ".audpl" extension only.
4) There is a "//" in the dbfile Path

is it that what you mean ?

Bernd, all those look like different errors. I just meant that the line: "database = open(dbfile, "r")" doesn't have a corresponding line to close the file once it's done.

OK, check this new patch for the audacious scope.
- No injections
- Multiple Tracks
- Database issues

I haven't tested it but the patch looks like a vast improvement.

Thanks