Bug 1526176 (CVE-2017-17522)

Summary: CVE-2017-17522 python: Command injection in Lib/webbrowser.py
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, bkabrda, cstratak, dmalcolm, extras-orphan, hhorak, ishcherb, jeffrey.ness, jorton, kevin, lzachar, mcyprian, mhroncok, psampaio, pviktori, python-maint, python-sig, rkuska, TicoTimo, tomspur, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-18 17:13:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1526177, 1526178, 1526179, 1526180, 1526181, 1526182    
Bug Blocks: 1526183    

Description Pedro Sampaio 2017-12-14 21:28:54 UTC 
Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.

References:

https://security-tracker.debian.org/tracker/CVE-2017-17522
Comment 1 Pedro Sampaio 2017-12-14 21:29:19 UTC 
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1526182]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1526180]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1526181]


Created python33 tracking bugs for this issue:

Affects: fedora-all [bug 1526178]


Created python34 tracking bugs for this issue:

Affects: fedora-all [bug 1526179]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1526177]
Comment 2 Miro HronĨok 2017-12-15 17:01:51 UTC 
Pedro, how do you track what Python version do we have in Fedora? Note that you are creating a bug for the python component, but that's dead since Fedora 25 EOL. Please update it to python2 in your tracking info. Also, we added python37 quite recently as well.
Comment 3 Charalampos Stratakis 2017-12-18 16:38:09 UTC 
It seems python upstream was not notified of this issue.

Pedro could you provide any info (if any) on the relevant upstream bug?
Comment 4 Pedro Sampaio 2017-12-18 19:00:38 UTC 
Charalampos,

I couldn't find any more info on it. This CVE seems issued by Debian. Maybe they have more information.

Miro,

Our tracking docs are correct, but I copied that affect list from an old bug. Thank you for pointing that out.

I fixed the list.
Comment 5 Petr Viktorin (pviktori) 2017-12-21 10:33:39 UTC 
I don't understand which strings need to be validated here.
Comment 6 Huzaifa S. Sidhpurwala 2018-01-02 05:56:45 UTC 
I think what the reporter actually mentions is the ability to trick the user into setting a specially-crafted BROWSER variable, before launching the browser via the webbrowser.py command. I tried the following:

1. $export set BROWSER="elinks; touch /tmp/foo"
   $python -m webbrowser -t "http://www.google.com"
Result: Launches firefox and /tmp/foo does not exists

2. $export set BROWSER="elinks; /home/huzaifas/a"
   $python -m webbrowser -t "http://www.google.com"
Result: Launches firefox and /tmp/foo is created. Here /home/huzaifas/a contains "touch /tmp/foo"

3. $export set BROWSER="elinks; ls > /tmp/list"
   $python -m webbrowser -t "http://www.google.com"
Result: Lanches firefox, /tmp/list is not created

4. $export set BROWSER="ls > /tmp/list"
   $python -m webbrowser -t "http://www.google.com"
Result: Lanches firefox, /tmp/list is not created

So i assume that the argument at https://nvd.nist.gov/vuln/detail/CVE-2017-17522#vulnDescriptionTitle is correct. Since webbrowser.py using Popen, which has shell=False as default, it would not be possible for the attacker to inject malicious commands via the BROWSER env variable.
Comment 7 Petr Viktorin (pviktori) 2018-01-02 10:32:28 UTC 
Yes, BROWSER is fine.

One thing Python does not validate is the URL, so one could, for example, open a *private* window of Firefox with:

    export BROWSER=firefox
    python3 -c 'import webbrowser; webbrowser.open("--private-window")'

or set the default browser:

    export BROWSER=firefox
    python3 -c 'import webbrowser; webbrowser.open("--setDefaultBrowser")'

Maybe that's what the CVE reporter wanted to say?
Comment 8 Huzaifa S. Sidhpurwala 2018-01-15 03:27:23 UTC 
(In reply to Petr Viktorin from comment #7)
> Yes, BROWSER is fine.
> 
> One thing Python does not validate is the URL, so one could, for example,
> open a *private* window of Firefox with:
> 
>     export BROWSER=firefox
>     python3 -c 'import webbrowser; webbrowser.open("--private-window")'
> 
> or set the default browser:
> 
>     export BROWSER=firefox
>     python3 -c 'import webbrowser; webbrowser.open("--setDefaultBrowser")'
> 
> Maybe that's what the CVE reporter wanted to say?

Upstream contested this CVE and the desc explicitly mentions "BROWSER" variable not the URL variable. Also i dont see any merit in fixing this.
Comment 9 Petr Viktorin (pviktori) 2018-01-18 17:13:33 UTC 
I don't either. Closing; if any more discussion is needed then please re-open.
Comment 10 Huzaifa S. Sidhpurwala 2018-01-22 04:53:51 UTC 
Statement:

As per upstream, "exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting". On testing it seems, upstream has correctly concluded the non-security nature of this bug.