RubyGems rgpg ‘gpg_helper.rb’远程命令注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1166592 漏洞类型 代码注入
发布时间 2013-08-02 更新时间 2013-08-05
CVE编号 CVE-2013-4203 CNNVD-ID CNNVD-201308-026
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/61575
https://cxsecurity.com/issue/WLB-2013080032
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201308-026
|漏洞详情
RubyGemsrgpg是RubyGems组织的一个可实现gpg工具的API。Ruby的rgpggem0.2.3之前的版本中的lib/rgpg/gpg_helper.rb文件中的‘self.run_gpg’函数中存在远程命令注入漏洞。远程攻击者可借助shell元字符利用该漏洞执行任意命令。
|漏洞EXP
Title: Rgpg Ruby Gem Remote Command Injection

Date: 7/31/2013

Advisory Author: Larry W. Cashdollar, @_larry0

CVE: TBD

Download: https://rubygems.org/gems/rgpg

Description:

"A simple Ruby wrapper around gpg command for file encryption.
rgpg is a simple API for interacting with the gpg tool. It is specifically designed to avoid altering global keyring state 
by creating temporary public and secret keyrings on the fly for encryption and decryption."

Vulnerability:

The following code snippet does not sanitize user supplied input before passing it to the System () function for execution. If this API is used in the context of a rails application remote commands can be injected into the shell if the user supplies shell meta characters like ; and &. in lib/rgpg/gpg_helper.rb:

68       begin
69         outputfile.close
70         result = system("#{commandline} > #{output_file.path} 2>&1")
71       ensure
Author: Notified 8/1/2013.

Fixed: in 0.2.3. 8/1/2013.

Greets to all () DEFCON21 
|参考资料

来源:github.com
链接:https://github.com/rcook/rgpg/commit/b819b13d198495f3ecd2762a0dbe27bb6fae3505
来源:MLIST
名称:[oss-security]20130802Re:RgpgRubyGemRemoteCommandInjection(CVERequest)
链接:http://www.openwall.com/lists/oss-security/2013/08/03/2
来源:BID
名称:61575
链接:http://www.securityfocus.com/bid/61575