RubyGems 'COMMAND _ wrap' Remote command Execution Vulnerability

Released on: 2013-03-18
Updated on: 2013-03-20

Affected Systems:
Rubygems command_wrap
Description:
--------------------------------------------------------------------------------
Bugtraq id: 58556
 
RubyGems 'COMMAND _ wrap 'is a set of tools to extract metadata of different file types.
 
Command_wrap has a security vulnerability when processing malicious URLs or file names. If a remote URL or file name contains shell characters ';', after the client user clicks these malicious URLs or file names, attackers can execute arbitrary commands.
 
<* Source: Larry W. Cashdollar (lwc@vapid.dhs.org)

Link: http://seclists.org/fulldisclosure/2013/Mar/175
Http://packetstormsecurity.com/files/120847/rubycommandwrap-exec.txt
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Command_wrap.rb-7-def self. capture (url, target)
 
Command_wrap.rb-8-command = CommandWrap: Config: Xvfb. command (File. dirname (_ FILE _) + "/../bin/CutyCapt
-- Min-width = 1024 -- min-height = 768 -- url = {url} -- out = {target} ") command_wrap.rb: 9: '# {command }'
Command_wrap.rb-10-end
Command_wrap.rb-11-
--
Command_wrap.rb-72-command = CommandWrap: Config: Xvfb. command (File. dirname (_ FILE _) + "/../bin/wkhtmltopdf -- quiet
-- Print-media-type # {source} # {params} # {target} ") command_wrap.rb-73-
Command_wrap.rb: 74: '# {command }'

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Rubygems
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://rubygems.org/gems/command_wrap