首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ruby Gem kelredd-pruview 0.3.8 Command Injection
来源:@_larry0 作者:Cashdollar 发布时间:2013-04-12  
Remote command injection in Ruby Gem kelredd-pruview 0.3.8

Larry W. Cashdollar
4/4/2013
@_larry0

Description: "A gem to ease generating image previews (thumbnails) of various files."

https://rubygems.org/gems/kelredd-pruview

Remote commands can be executed if the file name contains shell meta characters.

./kelredd-pruview-0.3.0/lib/pruview/document.rb

In the following code snippet, we see the user input isn't sanitized for shell metacharacters. A malicious file with special characters in the filename could be used to execute commands as the local user.

69       run_system_command("convert -format jpg \"{source}[0]\" \"{@tempfile.path}\"", "Error processing postscript document")
85       colorspace = run_system_command("identify #{GLOBAL_CMD_ARGS} -format \"%r\" #{image.path}", "Error reading document colorspace")

function run_system_comand() passes user supplied input to the command line.

141     def run_system_command(command, error_message)
142       output = `{command}`
143       raise "{error_message}: error given {$?}\n{output}" if $? != 0
144       return output
145     end

In kelredd-pruview-0.3.0/lib/pruview/video.rb: Also the video encoding and scaling features are vulnerable as well:

27       run("#{FLVTOOL} -U #{target}", "Unable to add meta-data for #{target}.")

51       run(build_command(@source, target, width, height, get_info(info_yml), scale_static), "Una    ble to convert #{@source} to #{target}.")

Run is defined as:

140     def run(command, error_message = "Unknown error.")
141       raise "Ffmpeg error: " + error_message + " - command: '#{command}'" if !system(command)
142     end

User controlled data is being sent to the command line with out any shell meta charatcers being escaped.

In kelredd-pruview-0.3.0/lib/pruview/video_image.rb:

13       run(build_command(source, "-ss 00:00:#{duration * 0.1}", 'mjpeg', target), "Unable to get     preview image for #{target}")

30 def self.build_command(source, time_str, format, target) 31 command = %Q{#{Video::FFMPEG} -i "#{source}"} 32 command += " #{time_str}" 33 command += " -f #{format}" if !format.empty? 34 command += " -an -y #{target}" 35 end

where function run() is defined as:

 37     def self.run(command, error_message = "Unknown error.")
 38       raise "Ffmpeg error: " + error_message + " - command: '#{command}'" if !system(command)
 39     end 

In line 38 user supplied data is passed to the command line.
This vulnerability doesn't have a CVE assigned yet.

http://vapid.dhs.org/advisories/kelredd-pruview-cmd-inject.html 

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MongoDB nativeHelper.apply Rem
·Nagios Remote Plugin Executor
·ircd-hybrid 8.0.5 Denial Of Se
·KNet Web Server 1.04b - Stack
·TRENDNet IP Cam Authentication
·AT-TFTP Server 2.0 - Stack Bas
·DLink DIR-645 / DIR-815 diagno
·MinaliC Webserver 2.0.0 - Buff
·Adobe ColdFusion APSB13-03 Rem
·Ruby Gem md2pdf Command Inject
·Linksys WRT54GL apply.cgi Comm
·Free Float FTP Server USER Com
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved