Security Disclosures

2022-05-22 Disabled Command Execution

On March 30, 2019, a code change was made to HashBackup. Below is the commit log for this change. The first release containing this change was #2224 on April 19, 2019.

changeset:   2201:8133818a2c13
user:        Jim <email>
date:        Sat Mar 30 12:48:40 2019 -0400
summary:     hb: move misc.checkcommand() to hb and out of each command

There is a main command dispatch function in HashBackup called hb. It performs the auditing function and then dispatches to individual command handlers. misc.checkcommand() is a function that tests whether a command is enabled and raises an error if it is disabled by the config options enable-commands or disable-commands.

Before this commit, misc.checkcommand() was performed inside each individual HB command handler independently. With this commit, the check was moved from the individual command handlers to the main hb command dispatcher.

However, this check was added after the audit log was successfully written to the database. If an error occurred while writing the audit log, an exception was raised and misc.checkcommand() was bypassed, with the effect that disabled commands could be executed.

One way to trigger this bug, shown below, is to reduce access to the backup database to read-only. This causes audit logging to fail, bypassing the disabled command check. There may be other ways to cause audit logging to fail (for example, a full disk), with the same result. In the example below, only the stats command should be enabled, but the ls command is allowed to run.

By default, the HashBackup directory is created with 700 permissions and only the owner has access. This helps mitigate this security issue, though an admin may have created the backup directory under a user’s id, added an admin passphrase to protect the config, and disabled some commands. Since the user does not know the admin passphrase, they cannot re-enable commands. But because of the vulnerability, the user could temporarily change their access to read-only, use disabled commands, then change permissions back.

This bug was found on Feb 21, 2022 via internal testing and not reported by anyone using HashBackup. A fix was released the same day in release #2772 with an entry in the release notes that a full disclosure would be given in 90 days to give sites time to upgrade. This note is the full disclosure.

Release #2876 on April 1, 2022 performs a database upgrade. After a db upgrade, earlier releases cannot access the HashBackup database, so this db upgrade is important to prevent older versions of HashBackup with the vulnerability from accessing disabled commands against the backup database.

Example showing execution of a disabled command:

# --- create a backup
$ hb init -c hb
HashBackup #2490 Copyright 2009-2022 HashBackup, LLC
Backup directory: /hb2490/hb
Permissions set for owner access only
Created key file /hb2490/hb/key.conf
Key file set to read-only
Setting include/exclude defaults: /hb2490/hb/inex.conf

VERY IMPORTANT: your backup is encrypted and can only be accessed with
the encryption key, stored in the file:


You MUST make copies of this file and store them in secure locations,
separate from your computer and backup data.  If your hard drive fails,
you will need this key to restore your files.  If you have setup remote
destinations in dest.conf, that file should be copied too.

Backup directory initialized

# --- save 1 file for the test
$ hb backup -c hb
HashBackup #2490 Copyright 2009-2022 HashBackup, LLC
Backup directory: /hb2490/hb
Backup start: 2022-02-21 23:00:20
Copied HB program to /hb2490/hb/hb#2490
This is backup version: 0
Dedup not enabled; use -Dmemsize to enable

Time: 0.1s
CPU:  0.0s, 64%
Mem:  55 MB
Checked: 7 paths, 134390 bytes, 134 KB
Saved: 7 paths, 134390 bytes, 134 KB
Excluded: 0
Dupbytes: 0
Compression: 68%, 3.2:1
Efficiency: 0.00 MB reduced/cpusec
Space: +42 KB, 189 KB total
No errors

# --- disable all commands except stats
$ hb config -c hb enable-commands stats
HashBackup #2490 Copyright 2009-2022 HashBackup, LLC
Backup directory: /hb2490/hb
Cache size: 29 MB (3600 pages)
Current config version: 1
Warning: admin-passphrase is not set
Note: these commands cannot be disabled: init,upgrade,log

Set enable-commands to stats (was '') for future backups

# --- try ls command
$ hb ls -c hb
HashBackup #2490 Copyright 2009-2022 HashBackup, LLC
Backup directory: /hb2490/hb
Command is disabled

# --- set backup directory to read-only (grant others read-only)
$ chmod -R 555 hb

# --- ls should be disabled but is not because of the audit failure
$ hb ls -c hb
HashBackup #2490 Copyright 2009-2022 HashBackup, LLC
Warning: unable to audit command:
Traceback (most recent call last):
  File "", line 97, in <module>
OperationalError: attempt to write a readonly database

Backup directory: /hb2490/hb
Most recent backup version: 0
Showing most recent version, use -ad for all
/  (parent, partial)
/hb2490  (parent, partial)
/hb2490/hb  (parent, partial)