Ruby Gem Webbynode 1.0.5.3 Command Injection

2013-12-13T00:00:00
ID PACKETSTORM:124421
Type packetstorm
Reporter Larry W. Cashdollar
Modified 2013-12-13T00:00:00

Description

                                        
                                            `Command injection in Ruby Gem Webbynode 1.0.5.3  
  
Date: 11/11/2014   
  
Author: Larry W. Cashdollar, @_larry0  
  
Download: http://rubygems.org/gems/webbynode   
  
Vulnerability Description:   
The following code located in: ./webbynode-1.0.5.3/lib/webbynode/notify.rb doesn't fully sanitize user supplied input before passing it to the shell via %x.  
  
Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell meta characters.  
  
def self.message(message)  
if self.installed? and !$testing  
message = message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "")  
%x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}")  
end  
end  
  
The message.gsub regex strips ANSI encoded characters from the #{message} variable, it doesn't strip characters like ;&| etc. If the attacker can control the contents of #{message}, #{TITLE} or #{IMAGE_PATH} they can possibly inject shell commands and execute them as the client user.  
  
  
Vendor: Notified 11/11/2013  
  
I also submitted a pull request   
  
Advisory: http://www.vapid.dhs.org/advisories/webbynode-command-inj.html  
  
`