Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Ruby Gem kelredd-pruview 0.3.8 Command Injection

🗓️ 12 Apr 2013 00:00:00Reported by Larry W. CashdollarType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 17 Views

Ruby Gem kelredd-pruview 0.3.8 Command Injection in Image and Video Processing

Code
`Remote command injection in Ruby Gem kelredd-pruview 0.3.8  
  
Larry W. Cashdollar  
4/4/2013  
@_larry0  
  
Description: "A gem to ease generating image previews (thumbnails) of various files."  
  
https://rubygems.org/gems/kelredd-pruview  
  
Remote commands can be executed if the file name contains shell meta characters.  
  
./kelredd-pruview-0.3.0/lib/pruview/document.rb  
  
In the following code snippet, we see the user input isn't sanitized for shell metacharacters. A malicious file with special characters in the filename could be used to execute commands as the local user.  
  
69 run_system_command("convert -format jpg \"{source}[0]\" \"{@tempfile.path}\"", "Error processing postscript document")  
85 colorspace = run_system_command("identify #{GLOBAL_CMD_ARGS} -format \"%r\" #{image.path}", "Error reading document colorspace")  
  
function run_system_comand() passes user supplied input to the command line.  
  
141 def run_system_command(command, error_message)  
142 output = `{command}`  
143 raise "{error_message}: error given {$?}\n{output}" if $? != 0  
144 return output  
145 end  
  
In kelredd-pruview-0.3.0/lib/pruview/video.rb: Also the video encoding and scaling features are vulnerable as well:  
  
27 run("#{FLVTOOL} -U #{target}", "Unable to add meta-data for #{target}.")  
  
51 run(build_command(@source, target, width, height, get_info(info_yml), scale_static), "Una ble to convert #{@source} to #{target}.")  
  
Run is defined as:  
  
140 def run(command, error_message = "Unknown error.")  
141 raise "Ffmpeg error: " + error_message + " - command: '#{command}'" if !system(command)  
142 end  
  
User controlled data is being sent to the command line with out any shell meta charatcers being escaped.  
  
In kelredd-pruview-0.3.0/lib/pruview/video_image.rb:  
  
13 run(build_command(source, "-ss 00:00:#{duration * 0.1}", 'mjpeg', target), "Unable to get preview image for #{target}")  
  
30 def self.build_command(source, time_str, format, target) 31 command = %Q{#{Video::FFMPEG} -i "#{source}"} 32 command += " #{time_str}" 33 command += " -f #{format}" if !format.empty? 34 command += " -an -y #{target}" 35 end  
  
where function run() is defined as:  
  
37 def self.run(command, error_message = "Unknown error.")  
38 raise "Ffmpeg error: " + error_message + " - command: '#{command}'" if !system(command)  
39 end   
  
In line 38 user supplied data is passed to the command line.  
This vulnerability doesn't have a CVE assigned yet.  
  
http://vapid.dhs.org/advisories/kelredd-pruview-cmd-inject.html   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Apr 2013 00:00Current
0.2Low risk
Vulners AI Score0.2
ruby gemkelredd-pruview 0.3.8command injectionimage processingvideo processingcvevulnerabilityadvisory
17