Ruby Gem Minimagic Command Execution

2013-03-13T00:00:00
ID PACKETSTORM:120777
Type packetstorm
Reporter Larry W. Cashdollar
Modified 2013-03-13T00:00:00

Description

                                        
                                            `MiniMagic ruby gem remote code execution   
  
3/12/2013  
  
https://github.com/hcatlin/mini_magick  
  
A ruby wrapper for ImageMagick or GraphicsMagick command line.  
  
Tested on both Ruby 1.9.2 and Ruby 1.8.7.  
  
If a URL is from an untrusted source, commands can be injected into it for remote code execution with the ; character.  
  
image = MiniMagick::Image.open(remoteurl) image.resize "5x5"  
image.format "gif"  
image.write "localcopy.gif"  
  
./hcatlin-mini_magick-1.3.1/lib/mini_magick.rb  
  
Lines  
  
172 command = "#{MiniMagick.processor} #{command} {args.join(' ')}".strip 173  
  
174 if ::MiniMagick.use_subexec  
175 sub = Subexec.run(command, :timeout => MiniMagick.timeout)  
176 exit_status = sub.exitstatus  
177 output = sub.output  
178 else   
179 output = `{command} 2>&1`  
180 exit_status = $?.exitstatus  
181 end  
  
The .strip will only remove whitespace from the beginning and end of the command.  
  
Larry W. Cashdollar  
@_larry0  
http://vapid.dhs.org  
`