Advisory #: 102
Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14
Author: Larry W. Cashdollar, @_larry0
Date: 2014-04-14
CVE-ID:[CVE-2014-2888]
CWE:
Download Site: http://rubygems.org/gems/sfpagent
Vendor: Herry16
Vendor Notified: 2014-04-16
Vendor Contact: herry13@gmail.com
Advisory: http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html
Description: A Ruby implementation of SFP agent.
Vulnerability:
The list variable generated from the user supplied JSON[body] input is passed directly to the system() shell on line 649. If a user supplies a module name with shell metacharacters like ; they might be able to execute shell commands on the remote system as the sfpagent running user id. From sfpagent-0.4.14/lib/sfpagent/bsig.rb: 637 code, body = get_data(address, port, '/modules') 638 raise Exception, "Unable to get modules list from {name}" if code.to_i != 200 639 640 modules = JSON[body] 641 list = '' 642 schemata.each { |m| 643 list += "{m} " if File.exist?("{modules_dir}/{m}") and 644 (not modules.has_key?(m) or modules[m] != get_local_module_hash(m, modules_dir).to_s) 645 } 646 647 return true if list == '' 648 649 if system("cd #{modules_dir}; #{install_module} #{address} #{port} #{list} 1>/dev/null 2>/tmp/install_module.error") 650 Sfp::Agent.logger.info "Push modules #{list}to #{name} [OK]" 651 else 652 Sfp::Agent.logger.warn "Push modules #{list}to #{name} [Failed]" 653 end 654 655 return true
Export: JSON TEXT XML
Exploit Code:
  1.  
Screen Shots:
Notes:
105971