sup Remote Command Execution

2013.10.30
Credit: joernchen
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-++-> [ Authors ] joernchen <joernchen () phenoelit de> Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] sup <= 0.14.1 (on non Darwin systems) sup <= 0.13.2 (on non Darwin systems) http://supmua.org [ Vendor communication ] 2013-10-28 Send vulnerability details to sup maintainer 2013-10-28 Maintainer proposes fix 2013-10-29 Sup 0.13.2.1 and 0.14.1.1 are released [1] 2013-10-29 Release of this advisory [ Description ] Observe in sup/lib/sup/message_chunks.rb: def view_default! path ## please see note in write_to_disk on important usage ## of quotes to avoid remote command injection. case RbConfig::CONFIG['arch'] when /darwin/ cmd = "open #{path}" else cmd = "/usr/bin/run-mailcap --action=view #{@content_type}:#{path}" end debug "running: #{cmd.inspect}" BufferManager.shell_out(cmd) $? == 0 end Here @content_type is attacker controlled and not further sanitized. By this a forged content type of an email attachment can trigger a command injection. [ Example ] For convenience the email delivering this file serves as an example. When viewing this attachment in a vulnerable version of sup the content type being "text/'`id>/tmp/whatsup`'pwn" will generate a file "whatsup" in the /tmp directory. [ Solution ] Upgrade to version 0.14.1.1 or 0.13.2.1 [ References ] [0] https://github.com/sup-heliotrope/sup/blob/916a354db8eb851bff6ff2e3f2e08727d132a8dc/lib/sup/message_chunks.rb#L175 [1] http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html [ end of file ]

References:

https://github.com/sup-heliotrope/sup/blob/916a354db8eb851bff6ff2e3f2e08727d132a8dc/lib/sup/message_chunks.rb#L175
http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html
http://cxsecurity.com/issue/WLB-2013100196


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top