No attack, but it does something odd... ---- normal run --- ken@stealth:~$ rm -f /tmp/testdup/*; duplicity full -v9 ~/bin 'rsync://stealth///tmp/testdup' ken@stealth:~$ ll /tmp/testdup total 72 -rw------- 1 ken ken 834 Dec 2 07:13 duplicity-full.20151202T131324Z.manifest.gpg -rw------- 1 ken ken 56942 Dec 2 07:13 duplicity-full.20151202T131324Z.vol1.difftar.gpg -rw------- 1 ken ken 10628 Dec 2 07:13 duplicity-full-signatures.20151202T131324Z.sigtar.gpg
--- funny run --- ken@stealth:~$ rm -f /tmp/testdup/*; duplicity full -v9 ~/bin 'rsync://stealth///tmp/testdup --log-file=xxx' ken@stealth:~$ ll /tmp/testdup total 72 -rw------- 1 ken ken 833 Dec 2 07:16 duplicity-full.20151202T131620Z.manifest.gpg -rw------- 1 ken ken 10628 Dec 2 07:16 duplicity-full-signatures.20151202T131620Z.sigtar.gpg -rw------- 1 ken ken 56942 Dec 2 07:16 mktemp-xaTcaB-2 <== contains the missing difftar contents. So, something is going on, but what is currently unknown. The xxx log file was never created, so no attack. It's possible it may have been created in one of the temp dirs, but not on the system. On Wed, Dec 2, 2015 at 6:33 AM, edso <[email protected]> wrote: > On 01.12.2015 22:44, Bernd Dietzel wrote: > > second test : > > > > use the path > > > > /tmp/ --log-file=xxx > > > > 1. can you provide a proper command line that illustrates a problem? > along the lines of 'duplicity /local/path rsync://' > > 2. this would be a simple bug, but no security issue. actually what you > describe is legally possible with duplicity by using the parameter > --rsync-options. > > if you can come up w/ an attack where the filenames on the backend were > maliciously modified in a way that exploits a locally run duplicity, > than you'd have me convinced instantly. > > ..ede/duply.net > > -- > You received this bug notification because you are subscribed to > Duplicity. > https://bugs.launchpad.net/bugs/1520691 > > Title: > Shell Code Injection in hsi backend > > Status in Duplicity: > Fix Committed > > Bug description: > https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103 > > The "hsi" backend of duplicity is vulnerabe to code injections. > > It uses os.popen3() with should be replaced with subprocess.Popen(). > > Thank you. > > File : > ------- > /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py > > This is the function witch is vulnerable : > ------------------------------------------------------------ > def _list(self): > commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir) > l = os.popen3(commandline)[2].readlines()[3:] > > Exploit Demo : > ============ > > On the Terminal type in : > > $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug > > --> This will start the program xeyes , but should not. > > I attached a screenshot of the exploit demo. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions > -- You received this bug notification because you are a member of duplicity-team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1520691 Title: Shell Code Injection in hsi backend Status in Duplicity: Fix Committed Bug description: https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103 The "hsi" backend of duplicity is vulnerabe to code injections. It uses os.popen3() with should be replaced with subprocess.Popen(). Thank you. File : ------- /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py This is the function witch is vulnerable : ------------------------------------------------------------ def _list(self): commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir) l = os.popen3(commandline)[2].readlines()[3:] Exploit Demo : ============ On the Terminal type in : $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug --> This will start the program xeyes , but should not. I attached a screenshot of the exploit demo. To manage notifications about this bug go to: https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~duplicity-team Post to : [email protected] Unsubscribe : https://launchpad.net/~duplicity-team More help : https://help.launchpad.net/ListHelp
