Ruby Gem Karteek Docsplit 0.5.4 Remote Command Injection

2013-04-08 / 2013-04-09
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Remote Command Injection Karteek Docsplit 0.5.4 4/1/2013 Larry W. Cashdollar @_larry0 User supplied input isn't sanitized against shell metacharacters and is fed directly to the shell. If the user is tricked into extracting a file with shell characters in the name code can be executed remotely. https://rubygems.org/gems/karteek-docsplit ./karteek-docsplit-0.5.4/lib/docsplit/text_extractor.rb 59 def extract_from_ocr(pdf, pages) 60 tempdir = Dir.mktmpdir 61 base_path = File.join(@output, @pdf_name) 62 if pages 63 pages.each do |page| 64 tiff = "{tempdir}/{ () pdf_name}{page} tif" 65 file = "{basepath}{page}" 66 run "MAGICKTMPDIR={tempdir} OMP_NUM_THREADS=2 gm convert -despeckle +adjoin #{MEMORY_ARGS} #{OCR_FLAGS} {pdf}[{page - 1}] #{tiff} 2>&1" 67 run "tesseract #{tiff} {file} -l eng 2>&1" 68 clean_text(file + '.txt') if @clean_ocr 69 FileUtils.remove_entry_secure tiff 70 end 71 else 72 tiff = "{tempdir}/{ () pdf_name} tif" 73 run "MAGICK_TMPDIR={tempdir} OMP_NUM_THREADS=2 gm convert -despeckle #{MEMORY_ARGS} #{OCR_FLAGS} #{pdf} #{tiff} 2>&1" 74 run "tesseract #{tiff} #{base_path} -l eng 2>&1" 75 clean_text(base_path + '.txt') if @clean_ocr 76 end Run is defined as: 94 def run(command) 95 result = `#{command}` 96 raise ExtractionFailed, result if $? != 0 97 result 98 end This vulnerability doesn't have a CVE yet assigned. http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html

References:

http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html
http://seclists.org/oss-sec/2013/q2/49


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top