Ruby Gem Webbynode 1.0.5.3 Command injection

2013-12-13 / 2013-12-15
Credit: Larry W. Cashdollar
Risk: High
Local: Yes
Remote: No
CVE: CVE-2013-7086
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Command injection in Ruby Gem Webbynode 1.0.5.3 Date: 11/11/2014 Author: Larry W. Cashdollar, @_larry0 Download: http://rubygems.org/gems/webbynode Vulnerability Description: The following code located in: ./webbynode-1.0.5.3/lib/webbynode/notify.rb doesn't fully sanitize user supplied input before passing it to the shell via %x. Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell meta characters. def self.message(message) if self.installed? and !$testing message = message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "") %x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}") end end The message.gsub regex strips ANSI encoded characters from the #{message} variable, it doesn't strip characters like ;&| etc. If the attacker can control the contents of #{message}, #{TITLE} or #{IMAGE_PATH} they can possibly inject shell commands and execute them as the client user. Vendor: Notified 11/11/2013 I also submitted a pull request Advisory: http://www.vapid.dhs.org/advisories/webbynode-command-inj.html

References:

http://www.vapid.dhs.org/advisories/webbynode-command-inj.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top