| Title: Remote command injection in Ruby Gem kelredd-pruview 0.3.8 |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2013-04-04 |
| CVE-ID:[CVE-2013-1947] |
| CWE: CWE-78 OS Command Injections |
| Download Site: https://rubygems.org/gems/kelredd-pruview |
| Vendor: Kelly D. Redding |
| Vendor Notified: 2013-04-04 |
| Vendor Contact: kelly@kellyredding.com |
| Advisory: http://www.vapid.dhs.org/advisories/kelredd-pruview-cmd-inject.html |
| Description: A gem to ease generating image previews (thumbnails) of various files. |
| Vulnerability: Remote commands can be executed if the file name contains shell meta characters.
./kelredd-pruview-0.3.0/lib/pruview/document.rb
In the following code snippet, we see the user input isn't sanitized for shell metacharacters. A malicious file with special characters in the filename could be used to execute commands as the local user.
69 run_system_command("convert -format jpg \"{source}[0]\" \"{@tempfile.path}\"", "Error processing postscript document")
85 colorspace = run_system_command("identify #{GLOBAL_CMD_ARGS} -format \"%r\" #{image.path}", "Error reading document colorspace")
function run_system_comand() passes user supplied input to the command line.
141 def run_system_command(command, error_message)
142 output = `{command}`
143 raise "{error_message}: error given {$?}\n{output}" if $? != 0
144 return output
145 end
In kelredd-pruview-0.3.0/lib/pruview/video.rb: Also the video encoding and scaling features are vulnerable as well:
27 run("#{FLVTOOL} -U #{target}", "Unable to add meta-data for #{target}.")
51 run(build_command(@source, target, width, height, get_info(info_yml), scale_static), "Una ble to convert #{@source} to #{target}.")
Run is defined as:
140 def run(command, error_message = "Unknown error.")
141 raise "Ffmpeg error: " + error_message + " - command: '#{command}'" if !system(command)
142 end
User controlled data is being sent to the command line with out any shell meta charatcers being escaped.
In kelredd-pruview-0.3.0/lib/pruview/video_image.rb:
13 run(build_command(source, "-ss 00:00:#{duration * 0.1}", 'mjpeg', target), "Unable to get preview image for #{target}")
30 def self.build_command(source, time_str, format, target)
31 command = %Q{#{Video::FFMPEG} -i "#{source}"}
32 command += " #{time_str}"
33 command += " -f #{format}" if !format.empty?
34 command += " -an -y #{target}"
35 end
where function run() is defined as:
37 def self.run(command, error_message = "Unknown error.")
38 raise "Ffmpeg error: " + error_message + " - command: '#{command}'" if !system(command)
39 end
In line 38 user supplied data is passed to the command line. |
| Export: JSON TEXT XML |
| Exploit Code: |
| Screen Shots: |
Notes: 92228 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory