[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Changed in: python3.5 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Changed in: python Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Also affects: python via http://bugs.python.org/issue24778 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
I have reported it to upstream : http://bugs.python.org/issue24778 I have uploaded my patches to upstream: http://bugs.python.org/file40897/mailcap%20patch.zip ** Bug watch added: Python Roundup #24778 http://bugs.python.org/issue24778 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
Thanks for reporting this issue. Have you reported it to the upstream Python project? If not, please file a bug with them and link the bug here. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Patch added: "Patch for mailcap.py (pyhon 2.7)" https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4507759/+files/PatchForMailCap.diff ** Attachment removed: "mailcap.py without shell injections" https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4507034/+files/patch.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
I fixed a typo and make code shorter. New patch attached. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
The attachment "mailcap.py without shell injections" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu- reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
My patch. 1) I removed the os.system() calls and append a new function "run" witch uses subprocess. 2) "Subst" function now uses quote() and is returning a list, not a string. So it can be passed to subprocess. 3) If you do not want to get back a command "string" but a command [list] , you can now call "findmatch_list" .. please test it. ** Patch added: "mailcap.py without shell injections" https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4507034/+files/patch.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
My "Idea" for a quick bugfix : Inside the mailcap.py script, we copy the file to temp and give the file an random name like this ... /temp/.tmp ... and then resulting with the random name instead of the original name. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1510317] Re: Shell Command Injection in "Mailcap" file handling
** Description changed:
https://docs.python.org/2/library/mailcap.html
mailcap.findmatch(caps, MIMEtype[, key[, filename[, plist]]])
Return a 2-tuple; the first element is a string containing the command line
to be executed (which can be passed to os.system()), ...
Security Bug in mailcap.findmatch() function :
1) If the "filename" or path contains a shell command , it will be injected
when you use os.system() to execute the resulting command line. As you can read
in the docs above, the function is designed to run os.system().
(Have a look at the Exploit Example 1 below )
- 2) If you try to 'quote' the filename before using mailcap.findmatch() , the
shell command can be injected too, because there may be another quoting inside
the mailcaps strings witch allows the shell commands to escape.
- (Have a look at the Exploit Example 2 below)
+ 2) If you try to 'quote' the filename before using mailcap.findmatch() , the
shell command can be injected too, because there may be another quoting inside
the mailcaps strings witch allows the shell commands to escape.
+ (Have a look at the Exploit Example 2 below)
3) There is no way to split the resulting command line in a correct way
afterwards into a list object with a "command" and its "parameters"
because after running the function you will never now if the characters
for splitting the line where a part of the the filename or a part of the
- the mailcap command in the first place. So even if you use subprocess
- for executing the commandline instead of os.system , you can get in
- trouble with unwanted parameters witch may make the viewer doing bad
- things.
-
+ mailcap command in the first place. So even if you use subprocess for
+ executing the commandline instead of os.system , you can get in trouble
+ with unwanted parameters witch may make the viewer doing bad things.
Python Exploit Example 1 :
import mailcap , os
d=mailcap.getcaps()
FILE="';ls;#';ls;#.mp4"
cmd,m=mailcap.findmatch(d, "audio/mpeg4", filename=FILE)
os.system(cmd)
- ## this will lead to this in cmd :
- ## vlc '';ls;#';ls;#.mp4'
- ## Or it will lead us to this in cmd :
+ ## this will lead to this in cmd :
+ ## vlc '';ls;#';ls;#.mp4'
+ ## Or it will lead us to this in cmd :
## vlc ';ls;#';ls;#.mp4
## No matter what, it will inject the ls command after you quit vlc
-
+
--
Python Exploit Example 2 :
import mailcap , os
try:
- from shlex import quote
+ from shlex import quote
except ImportError:
- from pipes import quote
+ from pipes import quote
d=mailcap.getcaps()
FILE=quote(";ls;#.txt")
cmd,m=mailcap.findmatch(d, "text/plain", filename=FILE)
- os.system(cmd)
+ os.system(cmd)
## this will lead to this in cmd :
## less '';ls;#.txt''
## And it will inject the ls command after you quit less '' with the Q key
-
+
--
TODO :
a) The Return 2-tuple Command line should be quoted in this way to make shell
commands stay inside the 'quotes' :
- 1.] Remove the quotes from the caps string, for example make it
- less %s and NOT less '%s'
- 2.] Now quote the filename with quote(filename) , so we get for example
- ';xmessage hello world;#.txt'in the filename variable.
- 3.] Now we replace %s with the filename , so now we get
- less ';xmessage hello world;#.txt' and NOTless '';xmessage
hello world;#.txt''
-
+ 1.] Remove the quotes from the caps string, for example make it
+ less %s and NOT less '%s'
+ 2.] Now quote the filename with quote(filename) , so we get for example
+ ';xmessage hello world;#.txt'in the filename variable.
+ 3.] Now we replace %s with the filename , so now we get
+ less ';xmessage hello world;#.txt' and NOTless '';xmessage
hello world;#.txt''
+
b) The mailcap.py script itself is using "os.system()" witch is vulnerable
for shell injections.
- They should be all replaced with "subprocess.Popen()" or
"subprocess.call()".
+ They should be all replaced with "subprocess.Popen()" or
"subprocess.call()".
c) The "MIMEtype" parameter is missing for test.
- if there is %s in the 'test' entries key we get a "TypeError: cannot
concatenate 'str' and 'list' objects" error.
-Should be like this :
-test = subst( e['test'], MIMEtype, filename, plist)
+ if there is %s in the 'test' entries key we get a "TypeError: cannot
concatenate 'str' and 'list' objects" error.
+ Should be like this :
+ test = subst( e['test'], MIMEtype, filename, plist)
- d) Think about replacing this scrip completely with the "run-mailcap"
+ d) Think about replacing this script completely with the "run-mailcap"
program of the debian project.
-
--
You can find mailcap.py in this locations :
libpython2.7-stdlib: /usr/lib/python2.7/mailcap.py
libpython3.4-stdlib:
