[Touch-packages] [Bug 1513964] Re: dsextras.py : Shell Command Injection with a pkg name
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pygobject-2 in Ubuntu. https://bugs.launchpad.net/bugs/1513964 Title: dsextras.py : Shell Command Injection with a pkg name Status in pygobject-2 package in Ubuntu: New Bug description: Expoit screenshot attached. The "dsextras.py" script is vulnerable in multiple functions for code injections in the "name" of a pkg. The script uses old and depreached python functions wich are a security risk : commands.getstatusoutput() os.system() os.popen() Please use the subprocess module instead ! Expoit Example wich runs a xmessage command == theregrunner@1510:~$ cd /usr/lib/python2.7/dist-packages/gtk-2.0/ theregrunner@1510:/usr/lib/python2.7/dist-packages/gtk-2.0$ python Python 2.7.10 (default, Oct 14 2015, 16:09:02) [GCC 5.2.1 20151010] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import dsextras >>> dsextras.pkgc_get_version('fontutil;xmessage "hello bug"') '1.3.1' === This Bug also effects the "so" files in the gtk-2.0 folder : atk.so gtkunixprint.so pangocairo.so pango.so ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: python-gobject-2 2.28.6-12build1 ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3 Uname: Linux 4.2.0-16-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 Date: Fri Nov 6 21:36:38 2015 InstallationDate: Installed on 2015-10-22 (15 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=de_DE.UTF-8 SHELL=/bin/bash SourcePackage: pygobject-2 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pygobject-2/+bug/1513964/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
Seens the bug is already known and fixed since 2014 but found not its way to ubuntu repos. http://bugs.python.org/issue22636 ** Information type changed from Private Security to Public Security ** Bug watch added: Python Roundup #22636 http://bugs.python.org/issue22636 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() Status in python2.7 package in Ubuntu: New Bug description: https://github.com/Legrandin/ctypes/issues/1 The find_library() function can execute code when special chars like ;|`<>$ are in the name. The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()". Demo Exploits for Linux : >>> from ctypes.util import find_library >>> find_library(";xeyes")# runs xeyes >>> find_library("|xterm")# runs terminal >>> find_library("")# runs gimp >>> find_library("$(nautilus)") # runs filemanager >>> find_library(">test") # creates, and if exists, erases a file "test" Traceback >>> find_library("`xmessage hello`")# shows a message, press ctrl+c for Traceback ^CTraceback (most recent call last): File "", line 1, in File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name)) File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc trace = f.read() KeyboardInterrupt ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3 Uname: Linux 4.2.0-16-generic x86_64 ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: XFCE Date: Sun Nov 1 10:34:38 2015 InstallationDate: Installed on 2015-10-09 (22 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
@Marc Yes , if some application has a bug , for example MintNanny : https://bugs.launchpad.net/linuxmint/+bug/1460835 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1514183] Re: distutils : file "bdist_rpm.py" allows Shell injection in "name"
Reported to Upstream : http://bugs.python.org/issue25627 ** Bug watch added: Python Roundup #25627 http://bugs.python.org/issue25627 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1514183 Title: distutils : file "bdist_rpm.py" allows Shell injection in "name" Status in python2.7 package in Ubuntu: Incomplete Bug description: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1514183] Re: distutils : file "bdist_rpm.py" allows Shell injection in "name"
Hello Tyler, i only used the setup script because the distutils.core.setup() function takes such a large number of arguments, so its more easy to read than in one single line of code. No, i haven't reported this issue to upstream. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1514183 Title: distutils : file "bdist_rpm.py" allows Shell injection in "name" Status in python2.7 package in Ubuntu: Incomplete Bug description: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1514183] [NEW] distutils : file "bdist_rpm.py" allows Shell injection in "name"
*** This bug is a security vulnerability *** Public security bug reported: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: python2.7 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug wily ** Attachment added: "Exploit demo setup.py script with a Shell command in "name"" https://bugs.launchpad.net/bugs/1514183/+attachment/4515059/+files/setup.py ** Summary changed: - distutils : filebdist_rpm.py allows Shell injection in "name" + distutils : file "bdist_rpm.py" allows Shell injection in "name" ** Information type changed from Public to Public Security ** Description changed: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py - Line 358 : - This line in the code uses the depreached os.popen command, should be replaced with supbprocess.Popen() : + Line 358 : + This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1514183 Title: distutils : file "bdist_rpm.py" allows Shell injection in "name" Status in python2.7 package in Ubuntu: New Bug description: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1512068] [NEW] Python ctypes.util , Shell Injection in find_library()
Public bug reported: https://github.com/Legrandin/ctypes/issues/1 The find_library() function can execute code when special chars like ;|`<>$ are in the name. The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()". Demo Exploits for Linux : >>> from ctypes.util import find_library >>> find_library(";xeyes")# runs xeyes >>> find_library("|xterm")# runs terminal >>> find_library("")# runs gimp >>> find_library("$(nautilus)") # runs filemanager >>> find_library(">test") # creates, and if exists, >>> erases a file "test" Traceback >>> find_library("`xmessage hello`")# shows a message, press ctrl+c for >>> Traceback ^CTraceback (most recent call last): File "", line 1, in File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name)) File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc trace = f.read() KeyboardInterrupt ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3 Uname: Linux 4.2.0-16-generic x86_64 ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: XFCE Date: Sun Nov 1 10:34:38 2015 InstallationDate: Installed on 2015-10-09 (22 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: python2.7 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug wily ** Attachment removed: "JournalErrors.txt" https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+attachment/4510277/+files/JournalErrors.txt -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1512068 Title: Python ctypes.util , Shell Injection in find_library() Status in python2.7 package in Ubuntu: New Bug description: https://github.com/Legrandin/ctypes/issues/1 The find_library() function can execute code when special chars like ;|`<>$ are in the name. The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()". Demo Exploits for Linux : >>> from ctypes.util import find_library >>> find_library(";xeyes")# runs xeyes >>> find_library("|xterm")# runs terminal >>> find_library("")# runs gimp >>> find_library("$(nautilus)") # runs filemanager >>> find_library(">test") # creates, and if exists, erases a file "test" Traceback >>> find_library("`xmessage hello`")# shows a message, press ctrl+c for Traceback ^CTraceback (most recent call last): File "", line 1, in File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name)) File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc trace = f.read() KeyboardInterrupt ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3 Uname: Linux 4.2.0-16-generic x86_64 ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: XFCE Date: Sun Nov 1 10:34:38 2015 InstallationDate: Installed on 2015-10-09 (22 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
script ** Attachment added: "changehostname.sh" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4510099/+files/changehostname.sh -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
#! /bin/sh # run this as root early in the boot order. No other script like hostname.sh should run later HOSTNAME="$(hostname|sed 's/[^A-Za-z0-9_\-\.]/x/g')";hostname "$HOSTNAME" -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
Workaround ... to make my modified "hostname.sh" script run at startup, i changed the file /etc/rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. /etc/init.d/hostname.sh start exit 0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
Thats better ... (the "-" was wrong in my previous posting ) HOSTNAME="${HOSTNAME//[^A-Za-z0-9_\-]/x}" i attached a modified hostname.sh wich uses bash. it can be startet manualy with sudo /etc/init.d/hostname.sh start The command should somehow run at startup ... but does not by default ? ** Attachment added: "hostname.sh" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4499613/+files/hostname.sh -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
Patch : HOSTNAME=${HOSTNAME//[^A-Za-z0-9-_]/_} -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
I agree, i think the hostname should be in the hands of the kernel only. Should not be overwritten by /etc/hostname.sh. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
typo ... the path is /etc/init.d/hostname.sh -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
german demo video https://www.youtube.com/watch?v=qYuVzHsklS8 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
** Attachment removed: "Dependencies.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497264/+files/Dependencies.txt ** Attachment removed: "JournalErrors.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497265/+files/JournalErrors.txt ** Attachment removed: "ProcEnviron.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497266/+files/ProcEnviron.txt ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1462470] Re: pydoc.py uses old netscape navigator
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1462470 Title: pydoc.py uses old netscape navigator Status in python2.7 package in Ubuntu: New Bug description: File : /usr/lib/python2.7/pydoc.py line : 2216 ... 2226 pydoc.py uses old netscape navigator when the webbrowser module can not be imported: And it is vulnerable to shell command injection too, because it uses os.system() wich allows shell commands in the parameter url. code : def open(self, event=None, url=None): url = url or self.server.url try: import webbrowser webbrowser.open(url) except ImportError: # pre-webbrowser.py compatibility if sys.platform == 'win32': os.system('start %s' % url) else: rc = os.system('netscape -remote openURL(%s) ' % url) if rc: os.system('netscape %s ' % url) ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: libpython2.7-stdlib 2.7.9-2ubuntu3 ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4 Uname: Linux 3.16.0-24-generic i686 NonfreeKernelModules: nvidia ApportVersion: 2.17.2-0ubuntu1.1 Architecture: i386 CurrentDesktop: MATE Date: Fri Jun 5 19:33:43 2015 InstallationDate: Installed on 2014-11-02 (214 days ago) InstallationMedia: Ubuntu MATE 14.10 Utopic Unicorn - i386 (20141023) SourcePackage: python2.7 UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1462470/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1462470] [NEW] pydoc.py uses old netscape navigator
Public bug reported: File : /usr/lib/python2.7/pydoc.py line : 2216 ... 2226 pydoc.py uses old netscape navigator when the webbrowser module can not be imported: And it is vulnerable to shell command injection too, because it uses os.system() wich allows shell commands in the parameter url. code : def open(self, event=None, url=None): url = url or self.server.url try: import webbrowser webbrowser.open(url) except ImportError: # pre-webbrowser.py compatibility if sys.platform == 'win32': os.system('start %s' % url) else: rc = os.system('netscape -remote openURL(%s) ' % url) if rc: os.system('netscape %s ' % url) ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: libpython2.7-stdlib 2.7.9-2ubuntu3 ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4 Uname: Linux 3.16.0-24-generic i686 NonfreeKernelModules: nvidia ApportVersion: 2.17.2-0ubuntu1.1 Architecture: i386 CurrentDesktop: MATE Date: Fri Jun 5 19:33:43 2015 InstallationDate: Installed on 2014-11-02 (214 days ago) InstallationMedia: Ubuntu MATE 14.10 Utopic Unicorn - i386 (20141023) SourcePackage: python2.7 UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago) ** Affects: python2.7 (Ubuntu) Importance: Undecided Status: New ** Tags: apport-bug i386 vivid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1462470 Title: pydoc.py uses old netscape navigator Status in python2.7 package in Ubuntu: New Bug description: File : /usr/lib/python2.7/pydoc.py line : 2216 ... 2226 pydoc.py uses old netscape navigator when the webbrowser module can not be imported: And it is vulnerable to shell command injection too, because it uses os.system() wich allows shell commands in the parameter url. code : def open(self, event=None, url=None): url = url or self.server.url try: import webbrowser webbrowser.open(url) except ImportError: # pre-webbrowser.py compatibility if sys.platform == 'win32': os.system('start %s' % url) else: rc = os.system('netscape -remote openURL(%s) ' % url) if rc: os.system('netscape %s ' % url) ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: libpython2.7-stdlib 2.7.9-2ubuntu3 ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4 Uname: Linux 3.16.0-24-generic i686 NonfreeKernelModules: nvidia ApportVersion: 2.17.2-0ubuntu1.1 Architecture: i386 CurrentDesktop: MATE Date: Fri Jun 5 19:33:43 2015 InstallationDate: Installed on 2014-11-02 (214 days ago) InstallationMedia: Ubuntu MATE 14.10 Utopic Unicorn - i386 (20141023) SourcePackage: python2.7 UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1462470/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp