Advisory #: 76
Title: MiniMagic ruby gem remote code execution
Author: Larry W. Cashdollar, @_larry0
Date: 2013-03-12
CVE-ID:[CVE-2013-2616][CVE-2013-1877 ]
CWE: CWE-94 Code Injection
Download Site: https://github.com/hcatlin/mini_magick
Vendor: Hampton Catlin
Vendor Notified: 2013-03-12
Vendor Contact: hcatlin@gmail.com
Advisory: http://www.vapid.dhs.org/advisories/minimagick.html
Description: A ruby wrapper for ImageMagick or GraphicsMagick command line. Tested on both Ruby 1.9.2 and Ruby 1.8.7.
Vulnerability:
If a URL is from an untrusted source, commands can be injected into it for remote code execution with the ; character. image = MiniMagick::Image.open(remoteurl) image.resize "5x5" image.format "gif" image.write "localcopy.gif" ./hcatlin-mini_magick-1.3.1/lib/mini_magick.rb Lines 172 command = "#{MiniMagick.processor} #{command} {args.join(' ')}".strip 173 174 if ::MiniMagick.use_subexec 175 sub = Subexec.run(command, :timeout => MiniMagick.timeout) 176 exit_status = sub.exitstatus 177 output = sub.output 178 else 179 output = `{command} 2>&1` 180 exit_status = $?.exitstatus 181 end The .strip will only remove whitespace from the beginning and end of the command.
Export: JSON TEXT XML
Exploit Code:
  1.  
Screen Shots:
Notes:
91231