When you build the commandline in duplicity you have full control of what you put in. Not sure what you mean.
On Wed, Dec 2, 2015 at 2:01 PM, Bernd Dietzel <[email protected]> wrote: > This is why i do not like to give the arguments out of my hands. > A parameter may start any program, like rsync starts firefox or xmessage : > > duplicity 'rsync://x/ --rsh="xmessage "' ~/t > > -- > You received this bug notification because you are subscribed to > Duplicity. > https://bugs.launchpad.net/bugs/1520691 > > Title: > Shell Code Injection in hsi backend > > Status in Duplicity: > Fix Committed > > Bug description: > https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103 > > The "hsi" backend of duplicity is vulnerabe to code injections. > > It uses os.popen3() with should be replaced with subprocess.Popen(). > > Thank you. > > File : > ------- > /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py > > This is the function witch is vulnerable : > ------------------------------------------------------------ > def _list(self): > commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir) > l = os.popen3(commandline)[2].readlines()[3:] > > Exploit Demo : > ============ > > On the Terminal type in : > > $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug > > --> This will start the program xeyes , but should not. > > I attached a screenshot of the exploit demo. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions > -- You received this bug notification because you are a member of duplicity-team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1520691 Title: Shell Code Injection in hsi backend Status in Duplicity: Fix Committed Bug description: https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103 The "hsi" backend of duplicity is vulnerabe to code injections. It uses os.popen3() with should be replaced with subprocess.Popen(). Thank you. File : ------- /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py This is the function witch is vulnerable : ------------------------------------------------------------ def _list(self): commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir) l = os.popen3(commandline)[2].readlines()[3:] Exploit Demo : ============ On the Terminal type in : $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug --> This will start the program xeyes , but should not. I attached a screenshot of the exploit demo. To manage notifications about this bug go to: https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~duplicity-team Post to : [email protected] Unsubscribe : https://launchpad.net/~duplicity-team More help : https://help.launchpad.net/ListHelp
