Advisory #: 20
Title: Vulnerability Report for Ruby Gem backup-agoddard-3.0.28
Author: Larry W. Cashdollar, @_larry0
Date: 2014-06-01
CVE-ID:[CVE-2014-4993]
CWE:
Download Site: http://rubygems.org/gems/backup-agoddard
Vendor: ]anthonygoddard.com
Vendor Notified: 2014-06-25
Vendor Contact: anthony[at]anthonygoddard.com
Advisory: http://www.vapid.dhs.org/advisories/backup-agoddard-3.0.28.html
Description: Backup is a RubyGem, written for UNIX-like operating systems, that allows you to easily perform backup operations on both your remote and local environments. It provides you with an elegant DSL in Ruby for modeling your backups. Backup has built-in support for various databases, storage protocols/services, syncers, compressors, encryptors and notifiers which you can mix and match. It was built with modularity, extensibility and simplicity in mind.
Vulnerability:
From: ./backup-agoddard-3.0.28/lib/backup/cli/utility.rb Lines 178 and 180 exposed the password to the process table, they are also remote command injection points if this gem is used in the context of a rails application as the user input isn't properly sanitized. 0175- base64 = options[:base64] ? -base64 : 176- password = options[:password_file].empty? ? : "-pass file:#{options[:password_file]}" 177- salt = options[:salt] ? -salt : 178: %x[openssl aes-256-cbc -d #{base64} #{password} #{salt} -in #{options[:in]} -out #{options[:out]}] 179- when gpg 180: %x[gpg -o #{options[:out]} -d #{options[:in]}] 181- else 182- puts "Unknown encryptor: #{options[:encryptor]}" 183- puts "Use either openssl or gpg." -- 224- puts "Please wait..\n\n" 226- end 227- 228- if options[:installed] 230- end 231- end 232-
Export: JSON TEXT XML
Exploit Code:
  1.  
Screen Shots:
Notes:
108578