首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ruby Gem Arabic Prawn 0.0.1 Command Injection Vulnerability
来源:@_larry0 作者:Cashdollar 发布时间:2014-03-13  
Title: Remote Command Injection in Arabic Prawn 0.0.1 Ruby Gem
  
Author: Larry W. Cashdollar, @_larry0
  
  
CVE: 2014-2322
Date: 12/17/2013
  
In Arabic-Prawn-0.0.1/lib/string_utf_support.rb, the following lines pass unsanitized input to the shell.
  
426 var = %x{ /usr/bin/curl -I -L --fail --silent --connect-timeout #{seconds} --max-time #{seconds+10} #{url}; /bin/echo -n $? }.to_i 
427
  
428             #return false unless var == 0
429             raise "Failed to create connection to web site: #{url}  --  curl error code: #{var}  --  " unless var     == 0
430 
431             str = %x{ /usr/bin/curl -L --fail --silent --connect-timeout #{seconds} --max-time #{seconds+10} #{url} | \
432                       /usr/bin/grep -Eo -m 1 \"(charset|encoding)=[\\"']?[^\\"'>]+\" | /usr/bin/grep -Eo \"[^=\\"    '>]+$\" }
  
443             %x{ /usr/bin/touch #{downloaded_file} 2>/dev/null }
444             raise "No valid HTML download file (path) specified!" unless File.file?(downloaded_file)
445             %x{ /usr/bin/curl -L --fail --silent --connect-timeout #{seconds} --max-time #{seconds+10} -o #{downloaded_file} #{url} }
446 
447             simple_test = %x{ /usr/bin/file -ik #{downloaded_file} }    #  cf. man file
  
If the downloaded file name #{downloaded_file} or #{url} contains any shell meta characters like ';' a malicious user can inject shell commands.
  
PoC
myfile;id;.txt
  
id would be passed to the command line and executed.
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Zoo 2.10 - Parse.c Local Buffe
·Firefox Exec Shellcode From Pr
·Oracle VirtualBox 3D Accelerat
·MicroP 0.1.1.1600 - (.mppl) Lo
·Yokogawa CENTUM CS 3000 BKBCop
·Free Download Manager 3.x Buff
·Yokogawa CENTUM CS 3000 BKHOde
·OS X / Safari / Firefox REGEX
·ClipSharePro 4.1 Local File In
·iOS 7 Arbitrary Code Execution
·QNX 6.x Photon Denial Of Servi
·Trixbox Pro Remote Command Exe
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved