[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Changed in: python3.5 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Changed in: python Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Also affects: python via http://bugs.python.org/issue24778 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
I have reported it to upstream : http://bugs.python.org/issue24778 I have uploaded my patches to upstream: http://bugs.python.org/file40897/mailcap%20patch.zip ** Bug watch added: Python Roundup #24778 http://bugs.python.org/issue24778 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
Thanks for reporting this issue. Have you reported it to the upstream Python project? If not, please file a bug with them and link the bug here. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Patch added: "Patch for mailcap.py (pyhon 2.7)" https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4507759/+files/PatchForMailCap.diff ** Attachment removed: "mailcap.py without shell injections" https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4507034/+files/patch.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
I fixed a typo and make code shorter. New patch attached. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
The attachment "mailcap.py without shell injections" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu- reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
My patch. 1) I removed the os.system() calls and append a new function "run" witch uses subprocess. 2) "Subst" function now uses quote() and is returning a list, not a string. So it can be passed to subprocess. 3) If you do not want to get back a command "string" but a command [list] , you can now call "findmatch_list" .. please test it. ** Patch added: "mailcap.py without shell injections" https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4507034/+files/patch.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
My "Idea" for a quick bugfix : Inside the mailcap.py script, we copy the file to temp and give the file an random name like this ... /temp/.tmp ... and then resulting with the random name instead of the original name. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Description changed: https://docs.python.org/2/library/mailcap.html mailcap.findmatch(caps, MIMEtype[, key[, filename[, plist]]]) Return a 2-tuple; the first element is a string containing the command line to be executed (which can be passed to os.system()), ... Security Bug in mailcap.findmatch() function : 1) If the "filename" or path contains a shell command , it will be injected when you use os.system() to execute the resulting command line. As you can read in the docs above, the function is designed to run os.system(). (Have a look at the Exploit Example 1 below ) - 2) If you try to 'quote' the filename before using mailcap.findmatch() , the shell command can be injected too, because there may be another quoting inside the mailcaps strings witch allows the shell commands to escape. - (Have a look at the Exploit Example 2 below) + 2) If you try to 'quote' the filename before using mailcap.findmatch() , the shell command can be injected too, because there may be another quoting inside the mailcaps strings witch allows the shell commands to escape. + (Have a look at the Exploit Example 2 below) 3) There is no way to split the resulting command line in a correct way afterwards into a list object with a "command" and its "parameters" because after running the function you will never now if the characters for splitting the line where a part of the the filename or a part of the - the mailcap command in the first place. So even if you use subprocess - for executing the commandline instead of os.system , you can get in - trouble with unwanted parameters witch may make the viewer doing bad - things. - + mailcap command in the first place. So even if you use subprocess for + executing the commandline instead of os.system , you can get in trouble + with unwanted parameters witch may make the viewer doing bad things. Python Exploit Example 1 : import mailcap , os d=mailcap.getcaps() FILE="';ls;#';ls;#.mp4" cmd,m=mailcap.findmatch(d, "audio/mpeg4", filename=FILE) os.system(cmd) - ## this will lead to this in cmd : - ## vlc '';ls;#';ls;#.mp4' - ## Or it will lead us to this in cmd : + ## this will lead to this in cmd : + ## vlc '';ls;#';ls;#.mp4' + ## Or it will lead us to this in cmd : ## vlc ';ls;#';ls;#.mp4 ## No matter what, it will inject the ls command after you quit vlc - + -- Python Exploit Example 2 : import mailcap , os try: - from shlex import quote + from shlex import quote except ImportError: - from pipes import quote + from pipes import quote d=mailcap.getcaps() FILE=quote(";ls;#.txt") cmd,m=mailcap.findmatch(d, "text/plain", filename=FILE) - os.system(cmd) + os.system(cmd) ## this will lead to this in cmd : ## less '';ls;#.txt'' ## And it will inject the ls command after you quit less '' with the Q key - + -- TODO : a) The Return 2-tuple Command line should be quoted in this way to make shell commands stay inside the 'quotes' : - 1.] Remove the quotes from the caps string, for example make it - less %s and NOT less '%s' - 2.] Now quote the filename with quote(filename) , so we get for example - ';xmessage hello world;#.txt'in the filename variable. - 3.] Now we replace %s with the filename , so now we get - less ';xmessage hello world;#.txt' and NOTless '';xmessage hello world;#.txt'' - + 1.] Remove the quotes from the caps string, for example make it + less %s and NOT less '%s' + 2.] Now quote the filename with quote(filename) , so we get for example + ';xmessage hello world;#.txt'in the filename variable. + 3.] Now we replace %s with the filename , so now we get + less ';xmessage hello world;#.txt' and NOTless '';xmessage hello world;#.txt'' + b) The mailcap.py script itself is using "os.system()" witch is vulnerable for shell injections. - They should be all replaced with "subprocess.Popen()" or "subprocess.call()". + They should be all replaced with "subprocess.Popen()" or "subprocess.call()". c) The "MIMEtype" parameter is missing for test. - if there is %s in the 'test' entries key we get a "TypeError: cannot concatenate 'str' and 'list' objects" error. -Should be like this : -test = subst( e['test'], MIMEtype, filename, plist) + if there is %s in the 'test' entries key we get a "TypeError: cannot concatenate 'str' and 'list' objects" error. + Should be like this : + test = subst( e['test'], MIMEtype, filename, plist) - d) Think about replacing this scrip completely with the "run-mailcap" + d) Think about replacing this script completely with the "run-mailcap" program of the debian project. - -- You can find mailcap.py in this locations : libpython2.7-stdlib: /usr/lib/python2.7/mailcap.py libpython3.4-stdlib: