Advisory #: 79
Title: Command injection in Ruby Gem Webbynode 1.0.5.3
Author: Larry W. Cashdollar, @_larry0
Date: 2014-11-11
CVE-ID:[CVE-2013-7086]
CWE: CWE-94 Code Injection
Download Site: http://rubygems.org/gems/webbynode
Vendor: Felipe Coury
Vendor Notified: 2014-11-11
Vendor Contact: felipe.coury@gmail.com
Advisory: http://www.vapid.dhs.org/advisories/webbynode-command-inj.html
Description: Webbynode Deployment Gem
Vulnerability:
The following code located in: ./webbynode-1.0.5.3/lib/webbynode/notify.rb doesn't fully sanitize user supplied input before passing it to the shell via %x. Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell meta characters. def self.message(message) if self.installed? and !$testing message = message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "") %x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}") end end The message.gsub regex strips ANSI encoded characters from the #{message} variable, it doesn't strip characters like ;&| etc. If the attacker can control the contents of #{message}, #{TITLE} or #{IMAGE_PATH} they can possibly inject shell commands and execute them as the client user.
Export: JSON TEXT XML
Exploit Code:
  1.  
Screen Shots:
Notes:
100920