[Touch-packages] [Bug 1513964] Re: dsextras.py : Shell Command Injection with a pkg name
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pygobject-2 in Ubuntu.
https://bugs.launchpad.net/bugs/1513964
Title:
dsextras.py : Shell Command Injection with a pkg name
Status in pygobject-2 package in Ubuntu:
New
Bug description:
Expoit screenshot attached.
The "dsextras.py" script is vulnerable in multiple functions for code
injections in the "name" of a pkg.
The script uses old and depreached python functions wich are a
security risk :
commands.getstatusoutput()
os.system()
os.popen()
Please use the subprocess module instead !
Expoit Example wich runs a xmessage command
==
theregrunner@1510:~$ cd /usr/lib/python2.7/dist-packages/gtk-2.0/
theregrunner@1510:/usr/lib/python2.7/dist-packages/gtk-2.0$ python
Python 2.7.10 (default, Oct 14 2015, 16:09:02)
[GCC 5.2.1 20151010] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import dsextras
>>> dsextras.pkgc_get_version('fontutil;xmessage "hello bug"')
'1.3.1'
===
This Bug also effects the "so" files in the gtk-2.0 folder :
atk.so
gtkunixprint.so
pangocairo.so
pango.so
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: python-gobject-2 2.28.6-12build1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
Date: Fri Nov 6 21:36:38 2015
InstallationDate: Installed on 2015-10-22 (15 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: pygobject-2
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pygobject-2/+bug/1513964/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1512068] Re: Python ctypes.util , Shell Injection in find_library()
Seens the bug is already known and fixed since 2014 but found not its way to
ubuntu repos.
http://bugs.python.org/issue22636
** Information type changed from Private Security to Public Security
** Bug watch added: Python Roundup #22636
http://bugs.python.org/issue22636
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1512068
Title:
Python ctypes.util , Shell Injection in find_library()
Status in python2.7 package in Ubuntu:
New
Bug description:
https://github.com/Legrandin/ctypes/issues/1
The find_library() function can execute code when special chars like ;|`<>$
are in the name.
The "os.popen()" calls in the util.py script should be replaced with
"subprocess.Popen()".
Demo Exploits for Linux :
>>> from ctypes.util import find_library
>>> find_library(";xeyes")# runs xeyes
>>> find_library("|xterm")# runs terminal
>>> find_library("")# runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists,
erases a file "test"
Traceback
>>> find_library("`xmessage hello`")# shows a message, press ctrl+c for
Traceback
^CTraceback (most recent call last):
File "", line 1, in
File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
trace = f.read()
KeyboardInterrupt
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython2.7-stdlib 2.7.10-4ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Nov 1 10:34:38 2015
InstallationDate: Installed on 2015-10-09 (22 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: python2.7
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
@Marc Yes , if some application has a bug , for example MintNanny : https://bugs.launchpad.net/linuxmint/+bug/1460835 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1514183] Re: distutils : file "bdist_rpm.py" allows Shell injection in "name"
Reported to Upstream : http://bugs.python.org/issue25627 ** Bug watch added: Python Roundup #25627 http://bugs.python.org/issue25627 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1514183 Title: distutils : file "bdist_rpm.py" allows Shell injection in "name" Status in python2.7 package in Ubuntu: Incomplete Bug description: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1514183] Re: distutils : file "bdist_rpm.py" allows Shell injection in "name"
Hello Tyler, i only used the setup script because the distutils.core.setup() function takes such a large number of arguments, so its more easy to read than in one single line of code. No, i haven't reported this issue to upstream. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1514183 Title: distutils : file "bdist_rpm.py" allows Shell injection in "name" Status in python2.7 package in Ubuntu: Incomplete Bug description: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1514183] [NEW] distutils : file "bdist_rpm.py" allows Shell injection in "name"
*** This bug is a security vulnerability *** Public security bug reported: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: python2.7 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug wily ** Attachment added: "Exploit demo setup.py script with a Shell command in "name"" https://bugs.launchpad.net/bugs/1514183/+attachment/4515059/+files/setup.py ** Summary changed: - distutils : filebdist_rpm.py allows Shell injection in "name" + distutils : file "bdist_rpm.py" allows Shell injection in "name" ** Information type changed from Public to Public Security ** Description changed: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py - Line 358 : - This line in the code uses the depreached os.popen command, should be replaced with supbprocess.Popen() : + Line 358 : + This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1514183 Title: distutils : file "bdist_rpm.py" allows Shell injection in "name" Status in python2.7 package in Ubuntu: New Bug description: File : /usr/lib/python2.7/distutils/command/bdist_rpm.py Line 358 : This line in the code uses the depreached os.popen command, should be replaced with subprocess.Popen() : out = os.popen(q_cmd) Exploit demo : 1) Download the setup.py script wich i attached 2) Create a test folder an put the setup.py script in this folder 3) cd to the test folder 4) python setup.py bdist_rpm 5) A xmessage window pops up as a proof of concept ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython2.7-stdlib 2.7.10-4ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-17.21-generic 4.2.3 Uname: Linux 4.2.0-17-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.19.1-0ubuntu4 Architecture: amd64 CurrentDesktop: Unity Date: Sun Nov 8 13:47:34 2015 InstallationDate: Installed on 2015-10-22 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: python2.7 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1512068] [NEW] Python ctypes.util , Shell Injection in find_library()
Public bug reported:
https://github.com/Legrandin/ctypes/issues/1
The find_library() function can execute code when special chars like ;|`<>$ are
in the name.
The "os.popen()" calls in the util.py script should be replaced with
"subprocess.Popen()".
Demo Exploits for Linux :
>>> from ctypes.util import find_library
>>> find_library(";xeyes")# runs xeyes
>>> find_library("|xterm")# runs terminal
>>> find_library("")# runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists,
>>> erases a file "test"
Traceback
>>> find_library("`xmessage hello`")# shows a message, press ctrl+c for
>>> Traceback
^CTraceback (most recent call last):
File "", line 1, in
File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
trace = f.read()
KeyboardInterrupt
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython2.7-stdlib 2.7.10-4ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Nov 1 10:34:38 2015
InstallationDate: Installed on 2015-10-09 (22 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: python2.7
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: python2.7 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug wily
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+attachment/4510277/+files/JournalErrors.txt
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1512068
Title:
Python ctypes.util , Shell Injection in find_library()
Status in python2.7 package in Ubuntu:
New
Bug description:
https://github.com/Legrandin/ctypes/issues/1
The find_library() function can execute code when special chars like ;|`<>$
are in the name.
The "os.popen()" calls in the util.py script should be replaced with
"subprocess.Popen()".
Demo Exploits for Linux :
>>> from ctypes.util import find_library
>>> find_library(";xeyes")# runs xeyes
>>> find_library("|xterm")# runs terminal
>>> find_library("")# runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists,
erases a file "test"
Traceback
>>> find_library("`xmessage hello`")# shows a message, press ctrl+c for
Traceback
^CTraceback (most recent call last):
File "", line 1, in
File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
trace = f.read()
KeyboardInterrupt
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: libpython2.7-stdlib 2.7.10-4ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu4
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Nov 1 10:34:38 2015
InstallationDate: Installed on 2015-10-09 (22 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: python2.7
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
script ** Attachment added: "changehostname.sh" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4510099/+files/changehostname.sh -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
#! /bin/sh # run this as root early in the boot order. No other script like hostname.sh should run later HOSTNAME="$(hostname|sed 's/[^A-Za-z0-9_\-\.]/x/g')";hostname "$HOSTNAME" -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
Workaround ... to make my modified "hostname.sh" script run at startup, i changed the file /etc/rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. /etc/init.d/hostname.sh start exit 0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
Thats better ... (the "-" was wrong in my previous posting )
HOSTNAME="${HOSTNAME//[^A-Za-z0-9_\-]/x}"
i attached a modified hostname.sh wich uses bash.
it can be startet manualy with
sudo /etc/init.d/hostname.sh start
The command should somehow run at startup ... but does not by default ?
** Attachment added: "hostname.sh"
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4499613/+files/hostname.sh
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
Status in bash package in Ubuntu:
New
Bug description:
If the HOSTNAME of the pc contains a shell command ,
the command will run every time you start a terminal, tty or xterm.
The command will also executed every time when you type in some command.
If you for example change the directory , it will run again.
Exploit Demo :
1) edit "/etc/hosts" to this :
127.0.0.1 localhost
127.0.1.1 `ls>bug`
2) edit "/etc/hostname" to this :
`ls>bug`
3) reboot
4) start a terminal
5) Now a file with the name "bug" will in your home folder !
6) Change the directory to Downloads with "cd Downloads/"
7) Now a file with the name "bug" is in your Downloads !
8) Remove the file with "rm bug"
9) The file "bug" is still there !
Have a look on the screenshot i have attached.
Solution:
The hostname should be checked if there are shell commands inside !!
By the way :
The hostname is not always in the hands of the root.
Some people rent "vservers" and the hostname is in the hands of the isp.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: bash 4.3-14ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3
Uname: Linux 4.2.0-15-generic x86_64
ApportVersion: 2.19.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct 16 22:31:46 2015
InstallationDate: Installed on 2015-10-09 (6 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: bash
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
Patch :
HOSTNAME=${HOSTNAME//[^A-Za-z0-9-_]/_}
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
Status in bash package in Ubuntu:
New
Bug description:
If the HOSTNAME of the pc contains a shell command ,
the command will run every time you start a terminal, tty or xterm.
The command will also executed every time when you type in some command.
If you for example change the directory , it will run again.
Exploit Demo :
1) edit "/etc/hosts" to this :
127.0.0.1 localhost
127.0.1.1 `ls>bug`
2) edit "/etc/hostname" to this :
`ls>bug`
3) reboot
4) start a terminal
5) Now a file with the name "bug" will in your home folder !
6) Change the directory to Downloads with "cd Downloads/"
7) Now a file with the name "bug" is in your Downloads !
8) Remove the file with "rm bug"
9) The file "bug" is still there !
Have a look on the screenshot i have attached.
Solution:
The hostname should be checked if there are shell commands inside !!
By the way :
The hostname is not always in the hands of the root.
Some people rent "vservers" and the hostname is in the hands of the isp.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: bash 4.3-14ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3
Uname: Linux 4.2.0-15-generic x86_64
ApportVersion: 2.19.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct 16 22:31:46 2015
InstallationDate: Installed on 2015-10-09 (6 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: bash
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
I agree, i think the hostname should be in the hands of the kernel only. Should not be overwritten by /etc/hostname.sh. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
typo ... the path is /etc/init.d/hostname.sh -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
german demo video https://www.youtube.com/watch?v=qYuVzHsklS8 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname
** Attachment removed: "Dependencies.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497264/+files/Dependencies.txt ** Attachment removed: "JournalErrors.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497265/+files/JournalErrors.txt ** Attachment removed: "ProcEnviron.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497266/+files/ProcEnviron.txt ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname Status in bash package in Ubuntu: New Bug description: If the HOSTNAME of the pc contains a shell command , the command will run every time you start a terminal, tty or xterm. The command will also executed every time when you type in some command. If you for example change the directory , it will run again. Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! Have a look on the screenshot i have attached. Solution: The hostname should be checked if there are shell commands inside !! By the way : The hostname is not always in the hands of the root. Some people rent "vservers" and the hostname is in the hands of the isp. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: bash 4.3-14ubuntu1 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 22:31:46 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: bash UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1462470] Re: pydoc.py uses old netscape navigator
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1462470
Title:
pydoc.py uses old netscape navigator
Status in python2.7 package in Ubuntu:
New
Bug description:
File :
/usr/lib/python2.7/pydoc.py
line : 2216 ... 2226
pydoc.py uses old netscape navigator when the webbrowser module can
not be imported:
And it is vulnerable to shell command injection too,
because it uses os.system() wich allows shell commands in the parameter url.
code :
def open(self, event=None, url=None):
url = url or self.server.url
try:
import webbrowser
webbrowser.open(url)
except ImportError: # pre-webbrowser.py compatibility
if sys.platform == 'win32':
os.system('start %s' % url)
else:
rc = os.system('netscape -remote openURL(%s) ' % url)
if rc: os.system('netscape %s ' % url)
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libpython2.7-stdlib 2.7.9-2ubuntu3
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: i386
CurrentDesktop: MATE
Date: Fri Jun 5 19:33:43 2015
InstallationDate: Installed on 2014-11-02 (214 days ago)
InstallationMedia: Ubuntu MATE 14.10 Utopic Unicorn - i386 (20141023)
SourcePackage: python2.7
UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1462470/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1462470] [NEW] pydoc.py uses old netscape navigator
Public bug reported:
File :
/usr/lib/python2.7/pydoc.py
line : 2216 ... 2226
pydoc.py uses old netscape navigator when the webbrowser module can not
be imported:
And it is vulnerable to shell command injection too,
because it uses os.system() wich allows shell commands in the parameter url.
code :
def open(self, event=None, url=None):
url = url or self.server.url
try:
import webbrowser
webbrowser.open(url)
except ImportError: # pre-webbrowser.py compatibility
if sys.platform == 'win32':
os.system('start %s' % url)
else:
rc = os.system('netscape -remote openURL(%s) ' % url)
if rc: os.system('netscape %s ' % url)
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libpython2.7-stdlib 2.7.9-2ubuntu3
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: i386
CurrentDesktop: MATE
Date: Fri Jun 5 19:33:43 2015
InstallationDate: Installed on 2014-11-02 (214 days ago)
InstallationMedia: Ubuntu MATE 14.10 Utopic Unicorn - i386 (20141023)
SourcePackage: python2.7
UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago)
** Affects: python2.7 (Ubuntu)
Importance: Undecided
Status: New
** Tags: apport-bug i386 vivid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1462470
Title:
pydoc.py uses old netscape navigator
Status in python2.7 package in Ubuntu:
New
Bug description:
File :
/usr/lib/python2.7/pydoc.py
line : 2216 ... 2226
pydoc.py uses old netscape navigator when the webbrowser module can
not be imported:
And it is vulnerable to shell command injection too,
because it uses os.system() wich allows shell commands in the parameter url.
code :
def open(self, event=None, url=None):
url = url or self.server.url
try:
import webbrowser
webbrowser.open(url)
except ImportError: # pre-webbrowser.py compatibility
if sys.platform == 'win32':
os.system('start %s' % url)
else:
rc = os.system('netscape -remote openURL(%s) ' % url)
if rc: os.system('netscape %s ' % url)
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libpython2.7-stdlib 2.7.9-2ubuntu3
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: i386
CurrentDesktop: MATE
Date: Fri Jun 5 19:33:43 2015
InstallationDate: Installed on 2014-11-02 (214 days ago)
InstallationMedia: Ubuntu MATE 14.10 Utopic Unicorn - i386 (20141023)
SourcePackage: python2.7
UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1462470/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
