*** This bug is a security vulnerability *** Public security bug reported:
https://docs.python.org/2/library/mailcap.html mailcap.findmatch(caps, MIMEtype[, key[, filename[, plist]]]) Return a 2-tuple; the first element is a string containing the command line to be executed (which can be passed to os.system()), ... Security Bug in mailcap.findmatch() function : ==================================== 1) If the "filename" or path contains a shell command , it will be injected when you use os.system() to execute the resulting command line. As you can read in the docs above, the function is designed to run os.system(<string containing the command line>). (Have a look at the Exploit Example 1 below ) 2) If you try to 'quote' the filename before using mailcap.findmatch() , the shell command can be injected too, because there may be another quoting inside the mailcaps strings witch allows the shell commands to escape. (Have a look at the Exploit Example 2 below) 3) There is no way to split the resulting command line in a correct way afterwards into a list object with a "command" and its "parameters" because after running the function you will never now if the characters for splitting the line where a part of the the filename or a part of the mailcap command in the first place. So even if you use subprocess for executing the commandline instead of os.system , you can get in trouble with unwanted parameters witch may make the viewer doing bad things. Python Exploit Example 1 : import mailcap , os d=mailcap.getcaps() FILE="';ls;#';ls;#.mp4" cmd,m=mailcap.findmatch(d, "audio/mpeg4", filename=FILE) os.system(cmd) ## this will lead to this in cmd : ## vlc '';ls;#';ls;#.mp4' ## Or it will lead us to this in cmd : ## vlc ';ls;#';ls;#.mp4 ## No matter what, it will inject the ls command after you quit vlc -- Python Exploit Example 2 : import mailcap , os try: from shlex import quote except ImportError: from pipes import quote d=mailcap.getcaps() FILE=quote(";ls;#.txt") cmd,m=mailcap.findmatch(d, "text/plain", filename=FILE) os.system(cmd) ## this will lead to this in cmd : ## less '';ls;#.txt'' ## And it will inject the ls command after you quit less '' with the Q key -- TODO : a) The Return 2-tuple Command line should be quoted in this way to make shell commands stay inside the 'quotes' : 1.] Remove the quotes from the caps string, for example make it less %s and NOT less '%s' 2.] Now quote the filename with quote(filename) , so we get for example ';xmessage hello world;#.txt' in the filename variable. 3.] Now we replace %s with the filename , so now we get less ';xmessage hello world;#.txt' and NOT less '';xmessage hello world;#.txt'' b) The mailcap.py script itself is using "os.system()" witch is vulnerable for shell injections. They should be all replaced with "subprocess.Popen()" or "subprocess.call()". c) The "MIMEtype" parameter is missing for test. if there is %s in the 'test' entries key we get a "TypeError: cannot concatenate 'str' and 'list' objects" error. Should be like this : test = subst( e['test'], MIMEtype, filename, plist) d) Think about replacing this script completely with the "run-mailcap" program of the debian project. -- You can find mailcap.py in this locations : libpython2.7-stdlib: /usr/lib/python2.7/mailcap.py libpython3.4-stdlib: /usr/lib/python3.4/mailcap.py libpython3.4-testsuite: /usr/lib/python3.4/test/test_mailcap.py libpython3.5-stdlib: /usr/lib/python3.5/mailcap.py libpython3.5-testsuite: /usr/lib/python3.5/test/test_mailcap.py pypy-lib: /usr/lib/pypy/lib-python/2.7/mailcap.py python-mailutils: /usr/lib/python2.7/dist-packages/mailutils/mailcap.py -- Weblinks : http://www.freiesmagazin.de/mobil/freiesMagazin-2015-10-bilder.html#fm_15_10_shell_command_injection http://bugs.python.org/issue24778 ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: libpython3.5-stdlib 3.5.0-3 ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3 Uname: Linux 4.2.0-16-generic x86_64 ApportVersion: 2.19.1-0ubuntu3 Architecture: amd64 CurrentDesktop: XFCE Date: Mon Oct 26 22:48:55 2015 InstallationDate: Installed on 2015-10-09 (16 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: python3.5 UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: python3.5 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug wily ** Information type changed from Private Security to Public Security ** Attachment removed: "JournalErrors.txt" https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4506156/+files/JournalErrors.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
