Advisory #: 15
Title: Vulnerability Report for Ruby Gem VladTheEnterprising-0.2
Author: Larry W. Cashdollar, @_larry0
Date: 2014-06-01
CVE-ID:[CVE-none]
CWE:
Download Site: http://rubygems.org/gems/VladTheEnterprising
Vendor: Gem Author: mlwelles[at]gmail.com
Vendor Notified: 2014-06-25
Vendor Contact: mlwelles[at]gmail.com
Advisory: http://www.vapid.dhs.org/advisories/VladTheEnterprising-0.2.html
Description: The mysql root password can be read out of /tmp/my.cnf.#{target_host} if a local user waits to read that after it is written and before it is removed in line 394. It is also possible to clobber files owned by the VladTheEnterprising user process via symlink attack because the my.cnf.#{target_host} doesn't have a randomly created filename. If this Gem is used in the context of a rails application and the user is allowed to specify the target host command injection can occur at line 394 if special shell meta characters are injected like ; and &.
Vulnerability:
0384- cnf << "host = localhost\n" 385- cnf << "user = root\n" 386- cnf << "password = {mysql_root_password}\n" 387: File.open("/tmp/my.cnf.{target_host}", "w") do |file| 388- file.write(cnf) 389- end 390: scp "/tmp/my.cnf.#{target_host}", ".my.cnf" 391- end 392- 393- remote_task :remove_dot_my_cnf, :roles => :new_slave do 394: `rm /tmp/my.cnf.#{target_host}; exit 0` 395- run "rm -f .my.cnf; exit 0" 396- end 397- -- 599- :mysql_err => "/var/log/mysql.err", 600- :my_cnf => lambda { "/etc/mysql/conf.d/{shortname}.cnf" }, 601- :my_src_cnf => lambda { "files/mysql/configs/{shortname}.cnf" }, 602: :my_tmp_cnf => lambda { "/tmp/my.cnf-#{version}"}, 603- :my_dest_cnf => lambda { my_cnf }, 604- :mysql_config_nfs_copy => lambda { true }, 605- :mysql_config_copy => lambda {
Export: JSON TEXT XML
Exploit Code:
  1.  
Screen Shots:
Notes:
108728