Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14
Date: 4/15/2014
Author: Larry W. Cashdollar, @_larry0
CVE: 2014-2888
Download: http://rubygems.org/gems/sfpagent
Vulnerability
The list variable generated from the user supplied JSON[body] input is passed directly to the system() shell on line 649. If a user supplies a module name with shell metacharacters like ; they might be able to execute shell commands on the remote system as the sfpagent running user id.
From sfpagent-0.4.14/lib/sfpagent/bsig.rb:
637 code, body = get_data(address, port, '/modules')
638 raise Exception, "Unable to get modules list from {name}" if code.to_i != 200
639
640 modules = JSON[body]
641 list = ''
642 schemata.each { |m|
643 list += "{m} " if File.exist?("{modules_dir}/{m}") and
644 (not modules.has_key?(m) or modules[m] != get_local_module_hash(m, modules_dir).to_s)
645 }
646
647 return true if list == ''
648
649 if system("cd #{modules_dir}; #{install_module} #{address} #{port} #{list} 1>/dev/null 2>/tmp/install_module.error")
650 Sfp::Agent.logger.info "Push modules #{list}to #{name} [OK]"
651 else
652 Sfp::Agent.logger.warn "Push modules #{list}to #{name} [Failed]"
653 end
654
655 return true
Vendor: Notified 4/15/14. Version 0.4.15 fixes this issue.
Advisory: http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html
{"id": "SECURITYVULNS:DOC:30570", "bulletinFamily": "software", "title": "Remote Command Injection in Ruby Gem sfpagent 0.4.14", "description": "\r\n\r\nTitle: Remote Command Injection in Ruby Gem sfpagent 0.4.14\r\n\r\nDate: 4/15/2014\r\n\r\nAuthor: Larry W. Cashdollar, @_larry0\r\n\r\nCVE: 2014-2888\r\n\r\nDownload: http://rubygems.org/gems/sfpagent\r\n\r\nVulnerability\r\nThe list variable generated from the user supplied JSON[body] input is passed directly to the system() shell on line 649. If a user supplies a module name with shell metacharacters like ; they might be able to execute shell commands on the remote system as the sfpagent running user id.\r\n\r\nFrom sfpagent-0.4.14/lib/sfpagent/bsig.rb:\r\n\r\n637 code, body = get_data(address, port, '/modules')\r\n638 raise Exception, "Unable to get modules list from {name}" if code.to_i != 200\r\n639 \r\n640 modules = JSON[body]\r\n641 list = ''\r\n642 schemata.each { |m|\r\n643 list += "{m} " if File.exist?("{modules_dir}/{m}") and\r\n644 (not modules.has_key?(m) or modules[m] != get_local_module_hash(m, modules_dir).to_s)\r\n645 }\r\n646 \r\n647 return true if list == ''\r\n648 \r\n649 if system("cd #{modules_dir}; #{install_module} #{address} #{port} #{list} 1>/dev/null 2>/tmp/install_module.error")\r\n650 Sfp::Agent.logger.info "Push modules #{list}to #{name} [OK]"\r\n651 else\r\n652 Sfp::Agent.logger.warn "Push modules #{list}to #{name} [Failed]"\r\n653 end\r\n654 \r\n655 return true\r\n\r\nVendor: Notified 4/15/14. Version 0.4.15 fixes this issue.\r\n\r\nAdvisory: http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html\r\n\r\n", "published": "2014-05-04T00:00:00", "modified": "2014-05-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30570", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:51", "edition": 1, "viewCount": 19, "enchantments": {"score": {"value": 6.4, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-2888"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13481"]}]}, "exploitation": null, "vulnersScore": 6.4}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645379990}}