Advisory #: 72
Title: Remote command Injection in Ruby Gem lipsiadmin 5.1.9
Author: Larry W. Cashdollar, @_larry0
Date: 2013-06-03
CVE-ID:[CVE-none]
CWE:
Download Site: http://rubygems.org/gems/lipsiadmin
Vendor: Davide DAgostino
Vendor Notified: 2013-06-05
Vendor Contact: info@daddye.it
Advisory: http://www.vapid.dhs.org/advisories/lipsiadmin-5.1.9-cmd-exec.html
Description: Lipsiadmin is a new revolutionary admin for your projects. Lipsiadmin is based on Ext Js 3+. framework (with prototype adapter) and is ready for Rails 2.+
Vulnerability:
The function method Attachment.run() is used to convert images ie resize, create thumbnails etc by passing the user supplied filename as an argument to various command line utilities supplied by ImageMagick. Shell meta characters aren't sanitized allowing a remote user to inject commands into the shell via ';'. lipsiadmin-5.1.9/lib/data_base/attachment/attach.rb 74 def run(cmd, params = "", expected_outcodes = 0) 75 command = %Q<#{%Q[#{path_for_command(cmd)} #{params}].gsub(/\s+/, " ")}> 76 command = "#{command} 2>#{bit_bucket}" if Attachment.options[:swallow_stderr] 77 output = `#{command}` 78 unless [expected_outcodes].flatten.include?($?.exitstatus) 79 raise AttachmentCommandLineError, "Error while running #{cmd}" 80 end 81 output 82 end From ./lib/data_base/attachment/geometry.rb: 15 # Uses ImageMagick to determing the dimensions of a file, passed in as either a 16 # File or path. 17 def self.from_file(file) 18 file = file.path if file.respond_to? "path" 19 geometry = begin 20 Attachment.run("identify", %Q[-format "%wx%h" "#{file}"[0]]) 21 rescue AttachmentCommandLineError 22 "" 23 end From ./lib/data_base/attachment/thumbnail.rb: 46 command = <<-end_command 47 "#{ File.expand_path(src.path) }[0]" 48 #{ transformation_command } 49 "#{ File.expand_path(dst.path) }" 50 end_command 51 52 begin 53 success = Attachment.run("convert", command.gsub(/\s+/, " ")) 54 rescue AttachmentCommandLineError 55 raise AttachmentError, "There was an error processing the thumbnail for #{@basename}" if @whiny 56 end
Export: JSON TEXT XML
Exploit Code:
  1.  
Screen Shots:
Notes: