[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Remote command injection in Ruby Gem kelredd-pruview 0.3.8

To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Remote command injection in Ruby Gem kelredd-pruview 0.3.8
From: "Larry W. Cashdollar" <larry0@xxxxxx>
Date: Thu, 11 Apr 2013 20:19:21 +0000 (GMT)

<html><body><div><div><h2>Remote command injection in Ruby Gem kelredd-pruview 
0.3.8 </h2>
<hr>
<p>Larry W. Cashdollar<br>
4/4/2013<br>
@_larry0
</p><p><b>Description</b>:
"A gem to ease generating image previews (thumbnails) of various files."</p><p>
</p><p><a 
href="https://rubygems.org/gems/kelredd-pruview";>https://rubygems.org/gems/kelredd-pruview</a>
</p>
<p>Remote commands can be executed if the file name contains shell meta 
characters. 
</p>
<p>./kelredd-pruview-0.3.0/lib/pruview/document.rb
</p>
<p>In the following code snippet, we see the user input isn't sanitized 
for shell metacharacters.  A malicious file with special characters in 
the filename could be used to execute commands as the local user.
</p>
<pre>69       run_system_command("convert -format jpg \"{source}[0]\" 
\"{@tempfile.path}\"", "Error processing postscript document")
85       colorspace = run_system_command("identify #{GLOBAL_CMD_ARGS} -format 
\"%r\" #{image.path}", "Error reading document colorspace")
</pre>
function run_system_comand() passes user supplied input to the command line.
<pre>141     def run_system_command(command, error_message)
142       output = `{command}`
143       raise "{error_message}: error given {$?}\n{output}" if $? != 0
144       return output
145     end
</pre>


In kelredd-pruview-0.3.0/lib/pruview/video.rb:

Also the video encoding and scaling features are vulnerable as well:
<pre>27       run("#{FLVTOOL} -U #{target}", "Unable to add meta-data for 
#{target}.")

51       run(build_command(@source, target, width, height, get_info(info_yml), 
scale_static), "Una    ble to convert #{@source} to #{target}.")
</pre>

Run is defined as: 
<pre>140     def run(command, error_message = "Unknown error.")
141       raise "Ffmpeg error: " + error_message + " - command: '#{command}'" 
if !system(command)
142     end
</pre>

User controlled data is being sent to the command line with out any shell meta 
charatcers being escaped.  <p>

In kelredd-pruview-0.3.0/lib/pruview/video_image.rb:
</p><pre>13       run(build_command(source, "-ss 00:00:#{duration * 0.1}", 
'mjpeg', target), "Unable to get     preview image for #{target}")
<p>
 30     def self.build_command(source, time_str, format, target)
 31       command = %Q{#{Video::FFMPEG} -i "#{source}"}
 32       command += " #{time_str}"
 33       command += " -f #{format}" if !format.empty?
 34       command += " -an -y #{target}"
 35     end
</p></pre>

where function run() is defined as:
<pre> 37     def self.run(command, error_message = "Unknown error.")
 38       raise "Ffmpeg error: " + error_message + " - command: '#{command}'" 
if !system(command)
 39     end 
</pre>

In line 38 user supplied data is passed to the command line.
<br>

This vulnerability doesn't have a CVE assigned yet.
<p>
http://vapid.dhs.org/advisories/kelredd-pruview-cmd-inject.html



</p></div></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users
Next by Date: Re: [Full-disclosure] Allegro.pl XSS [0-day]
Previous by thread: Re: [Full-disclosure] Allegro.pl XSS [0-day]
Next by thread: [Full-disclosure] [ MDVSA-2013:125 ] sleuthkit
Index(es):
- Date
- Thread