首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
sup Remote Command Execution
来源:joernchen () phenoelit de 作者:joernchen 发布时间:2013-10-31  
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-++->

[ Authors ]
        joernchen       <joernchen () phenoelit de>

        Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
        sup <= 0.14.1 (on non Darwin systems)
        sup <= 0.13.2 (on non Darwin systems) 
        http://supmua.org

[ Vendor communication ]
        2013-10-28 Send vulnerability details to sup maintainer
        2013-10-28 Maintainer proposes fix
        2013-10-29 Sup 0.13.2.1 and 0.14.1.1 are released [1]
        2013-10-29 Release of this advisory

[ Description ]

        Observe in sup/lib/sup/message_chunks.rb:

def view_default! path
  ## please see note in write_to_disk on important usage
  ## of quotes to avoid remote command injection.
  case RbConfig::CONFIG['arch']
    when /darwin/
      cmd = "open #{path}"
    else
      cmd = "/usr/bin/run-mailcap --action=view #{@content_type}:#{path}"
  end
  debug "running: #{cmd.inspect}"
  BufferManager.shell_out(cmd)
  $? == 0
end
   
        Here @content_type is attacker controlled and not further 
        sanitized. By this a forged content type of an email 
        attachment can trigger a command injection.

[ Example ]
        For convenience the email delivering this file serves as an
        example. When viewing this attachment in a vulnerable version
        of sup the content type being  "text/'`id>/tmp/whatsup`'pwn"
        will generate a file "whatsup" in the /tmp directory.

[ Solution ]
        Upgrade to version 0.14.1.1 or 0.13.2.1

[ References ]
        [0] https://github.com/sup-heliotrope/sup/blob/916a354db8eb851bff6ff2e3f2e08727d132a8dc/lib/sup/message_chunks.rb#L175
        [1] http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html

[ end of file ]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apache / PHP 5.x Remote Code E
·Apache / PHP Remote Command Ex
·WatchGuard Firewall XTM 11.7.4
·ProcessMaker Open Source Authe
·WatchGuard Firewall XTM 11.7.4
·Beetel Connection Manager NetC
·Netgear ReadyNAS Remote Comman
·Moodle Remote Command Executio
·BlazeDVD 6.2 (.plf) - Buffer O
·OpenMediaVault Cron Remote Com
·VideoCharge Studio 2.12.3.685
·ISPConfig Authenticated Arbitr
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved