Bug 1526176 (CVE-2017-17522) - CVE-2017-17522 python: Command injection in Lib/webbrowser.py
Summary: CVE-2017-17522 python: Command injection in Lib/webbrowser.py
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-17522
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1526177 1526178 1526179 1526180 1526181 1526182
Blocks: 1526183
TreeView+ depends on / blocked
 
Reported: 2017-12-14 21:28 UTC by Pedro Sampaio
Modified: 2021-02-17 01:05 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-18 17:13:33 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Python 32367 0 None None None 2017-12-18 16:38:08 UTC

Description Pedro Sampaio 2017-12-14 21:28:54 UTC
Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.

References:

https://security-tracker.debian.org/tracker/CVE-2017-17522

Comment 1 Pedro Sampaio 2017-12-14 21:29:19 UTC
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1526182]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1526180]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1526181]


Created python33 tracking bugs for this issue:

Affects: fedora-all [bug 1526178]


Created python34 tracking bugs for this issue:

Affects: fedora-all [bug 1526179]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1526177]

Comment 2 Miro Hrončok 2017-12-15 17:01:51 UTC
Pedro, how do you track what Python version do we have in Fedora? Note that you are creating a bug for the python component, but that's dead since Fedora 25 EOL. Please update it to python2 in your tracking info. Also, we added python37 quite recently as well.

Comment 3 Charalampos Stratakis 2017-12-18 16:38:09 UTC
It seems python upstream was not notified of this issue.

Pedro could you provide any info (if any) on the relevant upstream bug?

Comment 4 Pedro Sampaio 2017-12-18 19:00:38 UTC
Charalampos,

I couldn't find any more info on it. This CVE seems issued by Debian. Maybe they have more information.

Miro,

Our tracking docs are correct, but I copied that affect list from an old bug. Thank you for pointing that out.

I fixed the list.

Comment 5 Petr Viktorin (pviktori) 2017-12-21 10:33:39 UTC
I don't understand which strings need to be validated here.

Comment 6 Huzaifa S. Sidhpurwala 2018-01-02 05:56:45 UTC
I think what the reporter actually mentions is the ability to trick the user into setting a specially-crafted BROWSER variable, before launching the browser via the webbrowser.py command. I tried the following:

1. $export set BROWSER="elinks; touch /tmp/foo"
   $python -m webbrowser -t "http://www.google.com"
Result: Launches firefox and /tmp/foo does not exists

2. $export set BROWSER="elinks; /home/huzaifas/a"
   $python -m webbrowser -t "http://www.google.com"
Result: Launches firefox and /tmp/foo is created. Here /home/huzaifas/a contains "touch /tmp/foo"

3. $export set BROWSER="elinks; ls > /tmp/list"
   $python -m webbrowser -t "http://www.google.com"
Result: Lanches firefox, /tmp/list is not created

4. $export set BROWSER="ls > /tmp/list"
   $python -m webbrowser -t "http://www.google.com"
Result: Lanches firefox, /tmp/list is not created

So i assume that the argument at https://nvd.nist.gov/vuln/detail/CVE-2017-17522#vulnDescriptionTitle is correct. Since webbrowser.py using Popen, which has shell=False as default, it would not be possible for the attacker to inject malicious commands via the BROWSER env variable.

Comment 7 Petr Viktorin (pviktori) 2018-01-02 10:32:28 UTC
Yes, BROWSER is fine.

One thing Python does not validate is the URL, so one could, for example, open a *private* window of Firefox with:

    export BROWSER=firefox
    python3 -c 'import webbrowser; webbrowser.open("--private-window")'

or set the default browser:

    export BROWSER=firefox
    python3 -c 'import webbrowser; webbrowser.open("--setDefaultBrowser")'

Maybe that's what the CVE reporter wanted to say?

Comment 8 Huzaifa S. Sidhpurwala 2018-01-15 03:27:23 UTC
(In reply to Petr Viktorin from comment #7)
> Yes, BROWSER is fine.
> 
> One thing Python does not validate is the URL, so one could, for example,
> open a *private* window of Firefox with:
> 
>     export BROWSER=firefox
>     python3 -c 'import webbrowser; webbrowser.open("--private-window")'
> 
> or set the default browser:
> 
>     export BROWSER=firefox
>     python3 -c 'import webbrowser; webbrowser.open("--setDefaultBrowser")'
> 
> Maybe that's what the CVE reporter wanted to say?

Upstream contested this CVE and the desc explicitly mentions "BROWSER" variable not the URL variable. Also i dont see any merit in fixing this.

Comment 9 Petr Viktorin (pviktori) 2018-01-18 17:13:33 UTC
I don't either. Closing; if any more discussion is needed then please re-open.

Comment 10 Huzaifa S. Sidhpurwala 2018-01-22 04:53:51 UTC
Statement:

As per upstream, "exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting". On testing it seems, upstream has correctly concluded the non-security nature of this bug.


Note You need to log in before you can comment on or make changes to this bug.