[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Remote Command Injection in Ruby Gem sfpagent 0.4.14
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Remote Command Injection in Ruby Gem sfpagent 0.4.14
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Fri, 18 Apr 2014 08:41:49 -0400
Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14
Date: 4/15/2014
Author: Larry W. Cashdollar, @_larry0
CVE: 2014-2888
Download: http://rubygems.org/gems/sfpagent
Vulnerability
The list variable generated from the user supplied JSON[body] input is passed
directly to the system() shell on line 649. If a user supplies a module name
with shell metacharacters like ; they might be able to execute shell commands
on the remote system as the sfpagent running user id.
From sfpagent-0.4.14/lib/sfpagent/bsig.rb:
637 code, body = get_data(address, port, '/modules')
638 raise Exception, "Unable to get modules list from
{name}" if code.to_i != 200
639
640 modules = JSON[body]
641 list = ''
642 schemata.each { |m|
643 list += "{m} " if
File.exist?("{modules_dir}/{m}") and
644 (not modules.has_key?(m)
or modules[m] != get_local_module_hash(m, modules_dir).to_s)
645 }
646
647 return true if list == ''
648
649 if system("cd #{modules_dir}; #{install_module}
#{address} #{port} #{list} 1>/dev/null 2>/tmp/install_module.error")
650 Sfp::Agent.logger.info "Push modules
#{list}to #{name} [OK]"
651 else
652 Sfp::Agent.logger.warn "Push modules
#{list}to #{name} [Failed]"
653 end
654
655 return true
Vendor: Notified 4/15/14. Version 0.4.15 fixes this issue.
Advisory: http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html
- Prev by Date:
[SECURITY] [DSA 2910-1] qemu-kvm security update
- Next by Date:
[security bulletin] HPSBMU02995 rev.4 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure of Information
- Previous by thread:
[SECURITY] [DSA 2910-1] qemu-kvm security update
- Next by thread:
[security bulletin] HPSBMU02995 rev.4 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure of Information
- Index(es):