Title: Remote command injection and SQLi in Ruby Gem brbackup-0.1.1 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2014-07-01 |
CVE-ID:[CVE-2014-5004] |
CWE: |
Download Site: http://rubygems.org/gems/brbackup |
Vendor: Tung Nguyen |
Vendor Notified: 2014-07-08 |
Vendor Contact: tongueroo@gmail.com |
Advisory: http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html |
Description: Gem to create brbackup summary. |
Vulnerability: The following code exposes the database password to the command line, if this gem is used in the context of a rails application command injection can be achived by placing shell metacharacters like ; in the user supplied input for variable dbuser. I suspect the other variables are injectable by playing with " and '.
Also line 313 is vulnerable to SQL injection via the '#{name}' variable.
From: brbackup-0.1.1/lib/brbackup.rb
311-
312- def db_has_myisam?(name)
313- query = "SELECT 1 FROM information_schema.tables WHERE table_schema='#{name}' AND engine='MyISAM' LIMIT 1;"
314: %x{mysql -u #{dbuser} {password_option} -N -e"{query}"}.strip == '1'
315- end
316-
317- def restore_database(name, io)
Where password_option will expose the password to the process table if the password is not nil or empty.
338- def password_option
339 dbpass.nil? || dbpass.empty? ? "" : "-p'#{dbpass}'" |
Export: JSON TEXT XML |
Exploit Code: |
Screen Shots: |
Notes: 108901 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory