Title: Vulnerability Report for Ruby Gem gnms-2.1.1 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2014-06-01 |
CVE-ID:[CVE-none] |
CWE: |
Download Site: http://rubygems.org/gems/gnms |
Vendor: david.maciejak[at]gmail.com |
Vendor Notified: 2014-06-25 |
Vendor Contact: david.maciejak@gmail.com |
Advisory: http://www.vapid.dhs.org/advisories/gnms-2.1.1.html |
Description: GNMS is a graphical tool used to monitor state of network elements. |
Vulnerability: From: ./gnms-2.1.1/lib/cmd_parse.rb
The #{ip} variable isn't properly sanitized and can lead to remote command injection if a malicious user specifies an IP address with shell meta characters like ; and &.
0Command injection via {ip} in ping and other functions. 147- lp=""
148- nmap_version = $config.nmap_vers.to_f() 149- if nmap_version >= 6.0
150: lp=`{$config.nmap_path} -sU -sT {ip} --host_timeout 60 2>/dev/null| grep open | grep "^[0-9]"` 151- else
152- if nmap_version > 0.0
153: lp=`{$config.nmap_path} -sU -sT #{ip} --host_timeout 60000 2>/dev/null| grep open | grep "^[0-9]"`
154- end
155- end
177- Return mac adress of the ip if in local arp table 178-
179-def mac_tablelocal(ip)
180: `ping -c 1 -W 1 #{ip}`
181: lp=`arp -n #{ip} | grep #{ip} | awk {print $3;}` 182- there is no entry
183- if lp.chomp == "--"
184- lp=""
232-def ping (ip)
233: pip=`{$config.ping_path} #{ip} -c 1 -n -W 4 2>/dev/null | grep ^64` 234- return pip!=""
235-end |
Export: JSON TEXT XML |
Exploit Code: |
Screen Shots: |
Notes: 108594 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory