CVE-2017-16667 in Back In Time
Summary
by MITRE
backintime (aka Back in Time) before 1.1.24 did improper escaping/quoting of file paths used as arguments to the 'notify-send' command, leading to some parts of file paths being executed as shell commands within an os.system call in qt4/plugins/notifyplugin.py. This could allow an attacker to craft an unreadable file with a specific name to run arbitrary shell commands.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/10/2023
The vulnerability CVE-2017-16667 affects backintime versions prior to 1.1.24 and represents a critical command injection flaw in the notify-send functionality. This issue stems from improper handling of file paths within the Qt4 notification plugin, specifically in the qt4/plugins/notifyplugin.py file where os.system calls are executed without adequate input sanitization. The vulnerability manifests when the application processes file paths that contain special shell characters, allowing maliciously crafted filenames to be interpreted as shell commands rather than simple file names.
The technical flaw resides in the lack of proper shell argument escaping or quoting mechanisms when constructing command-line arguments for the notify-send utility. When backintime processes files with names containing characters such as semicolons, ampersands, or other shell metacharacters, these characters are not properly escaped before being passed to the os.system function. This creates a classic command injection vulnerability where attacker-controlled input can be executed as shell commands within the application's context. The vulnerability is particularly dangerous because it allows an attacker to craft specific filenames that, when processed by the backup application, will execute arbitrary shell commands with the privileges of the user running backintime.
The operational impact of this vulnerability is significant as it can be exploited by attackers who gain the ability to create or rename files within the backup directory structure. An attacker could create a file with a specially crafted name containing shell command sequences that would be executed when the backup process attempts to notify about file operations. This scenario is particularly concerning in multi-user environments or when backintime is used with elevated privileges, as it could allow privilege escalation or arbitrary code execution on the target system. The vulnerability affects the notification plugin functionality and could potentially be chained with other attacks to compromise the entire backup system.
Mitigation strategies for this vulnerability include upgrading to backintime version 1.1.24 or later, which contains the necessary patch to properly escape and quote file paths before passing them to shell commands. Organizations should also implement proper input validation and sanitization practices for all file operations within backup systems. The vulnerability aligns with CWE-78 which describes improper neutralization of special elements used in OS commands, and can be mapped to ATT&CK technique T1059.001 for executing shell commands. System administrators should review and audit backup configurations to ensure that file naming conventions do not introduce shell injection risks, and consider implementing additional security controls such as restricted file permissions and monitoring for suspicious file creation patterns within backup directories.