Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29347
HistoryMay 06, 2013 - 12:00 a.m.

Remote command execution in Ruby Gem Command Wrap

2013-05-0600:00:00
vulners.com
26

Remote command execution in Ruby Gem Command Wrap

3/15/2013
http://rubygems.org/gems/command_wrap

Commands executed if the remote URL or filename contains the shell character ';'. The commands will be executed as the client user if tricked into using the malicious URL or filename.

Examining the following lines:

command_wrap.rb-7- def self.capture (url, target)

command_wrap.rb-8- command = CommandWrap::Config::Xvfb.command(File.dirname(FILE) + "/…/bin/CutyCapt --min-width=1024 --min-height=768 --url={url} --out={target}")
command_wrap.rb:9: `#{command}`
command_wrap.rb-10- end
command_wrap.rb-11-

command_wrap.rb-72- command = CommandWrap::Config::Xvfb.command(File.dirname(FILE) + "/…/bin/wkhtmltopdf --quiet --print-media-type #{source} #{params} #{target}") command_wrap.rb-73-
command_wrap.rb:74: `#{command}`

Untrusted data is passed to the command line.

Larry W. Cashdollar
@_larry0
http://vapid.dhs.org/advisories/command-wrap-remoteexec.html