[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Ruby gem Thumbshooter 0.1.5 remote command execution

To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Ruby gem Thumbshooter 0.1.5 remote command execution
From: "Larry W. Cashdollar" <larry0@xxxxxx>
Date: Tue, 26 Mar 2013 15:13:23 +0000 (GMT)

<html><body><div><h2><font size="3"><span style="-webkit-text-size-adjust: 
auto; background-color: rgba(255, 255, 255, 0);">Ruby gem Thumbshooter 0.1.5 
remote command execution</span></font></h2><hr><i 
style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 
0);">3/25/2013</i><p><span style="-webkit-text-size-adjust: auto; 
background-color: rgba(255, 255, 255, 0);">Generates thumbshots of URLs by 
using Webkit and QT4.</span></p><p><a 
href="https://github.com/digineo/thumbshooter"; style="-webkit-text-size-adjust: 
auto; background-color: rgba(255, 255, 255, 0);"><font 
color="#000000">https://github.com/digineo/thumbshooter</font></a></p><p><span 
style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 
0);">Specially crafted URLs can result in remote code execution if the URL 
contains shell metacharacters.</span></p><p><span 
style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 
0);">We
 see that the url is passed directly to the shell in the following code 
snippet from ./thumbshooter-0.1.5/lib/thumbshooter.rb 
lines:</span></p><pre><font face="Helvetica"><span style="white-space: normal; 
-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 
0);">&nbsp;1012 command &lt;&lt; "xvfb-run -a --server-args='-screen 0, 
#{screen}x24' "&nbsp;</span></font></pre><pre><font face="Helvetica"><span 
style="white-space: normal; -webkit-text-size-adjust: auto; background-color: 
rgba(255, 255, 255, 0);">&nbsp;1015 command &lt;&lt; "<strong>{WEBKIT2PNG} 
'</strong>{url}'&nbsp;<strong>{args}"</strong></span></font></pre><pre><font 
face="Helvetica"><span style="white-space: normal; -webkit-text-size-adjust: 
auto; background-color: rgba(255, 255, 255, 0);"><strong>&nbsp;1017 img = 
`</strong>{command} 2&gt;&amp;1`</span></font></pre><p><span 
style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 
0);">Larry W. Cashdollar<br>@_larry0<br><a 
href="http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html";>http://vapid.dhs.org/advisories/thumbshooter-ruby-gem-remoteexec.html</a></span></p></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ISecAuditors Security Advisories] Multiple Reflected XSS vulnerabilities in LinkedIn Investors
Next by Date: [Full-disclosure] Multiple XSS vulnerabilities in IBM Lotus Domino
Previous by thread: [Full-disclosure] [ISecAuditors Security Advisories] Multiple Reflected XSS vulnerabilities in LinkedIn Investors
Next by thread: [Full-disclosure] Multiple XSS vulnerabilities in IBM Lotus Domino
Index(es):
- Date
- Thread