oss-sec mailing list archives
Re: Remote command injection in Ruby Gem kelredd-pruview 0.3.8
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 12 Apr 2013 11:14:24 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/10/2013 01:14 PM, Larry W. Cashdollar wrote:
Remote command injection in Ruby Gem kelredd-pruview 0.3.8 ------------------------------------------------------------------------ Larry W. Cashdollar 4/4/2013 @_larry0 *Description*: "A gem to ease generating image previews (thumbnails) of various files." https://rubygems.org/gems/kelredd-pruview Remote commands can be executed if the file name contains shell meta characters. ./kelredd-pruview-0.3.0/lib/pruview/document.rb In the following code snippet, we see the user input isn't sanitized for shell metacharacters. A malicious file with special characters in the filename could be used to execute commands as the local user. 69 run_system_command("convert -format jpg \"{source}[0]\" \"{@tempfile.path}\"", "Error processing postscript document") 85 colorspace = run_system_command("identify #{GLOBAL_CMD_ARGS} -format \"%r\" #{image.path}", "Error reading document colorspace") function run_system_comand() passes user supplied input to the command line. 141 def run_system_command(command, error_message) 142 output = `{command}` 143 raise "{error_message}: error given {$?}\n{output}" if $? != 0 144 return output 145 end In kelredd-pruview-0.3.0/lib/pruview/video.rb: Also the video encoding and scaling features are vulnerable as well: 27 run("#{FLVTOOL} -U #{target}", "Unable to add meta-data for #{target}.") 51 run(build_command(@source, target, width, height, get_info(info_yml), scale_static), "Una ble to convert #{@source} to #{target}.") Run is defined as: 140 def run(command, error_message = "Unknown error.") 141 raise "Ffmpeg error: " + error_message + " - command: '#{command}'" if !system(command) 142 end User controlled data is being sent to the command line with out any shell meta charatcers being escaped. In kelredd-pruview-0.3.0/lib/pruview/video_image.rb: 13 run(build_command(source, "-ss 00:00:#{duration * 0.1}", 'mjpeg', target), "Unable to get preview image for #{target}") 30 def self.build_command(source, time_str, format, target) 31 command = %Q{#{Video::FFMPEG} -i "#{source}"} 32 command += " #{time_str}" 33 command += " -f #{format}" if !format.empty? 34 command += " -an -y #{target}" 35 end where function run() is defined as: 37 def self.run(command, error_message = "Unknown error.") 38 raise "Ffmpeg error: " + error_message + " - command: '#{command}'" if !system(command) 39 end In line 38 user supplied data is passed to the command line. This vulnerability doesn't have a CVE assigned yet. http://vapid.dhs.org/advisories/kelredd-pruview-cmd-inject.html
Please use CVE-2013-1947 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRaEDvAAoJEBYNRVNeJnmTbNUP/RN999r1F5FLqP7598zcwJHi VkCIeYTDYkBUd1k+RVqYmFZ0kdpUKu2vQQfn82AZyHK6uLkI8R0DWvYgjSLx0Dco yL+xGwHGaDF++8k3DQqnAlRwRVk2TDn9AwEAkY3VN92cnb0myKbp2NNHdRTyLhMe K1yYeWTgAiHdjkqDbbPdxcUqaZXjBto/AOE0Vb9lPP6PudSKpH1Cc1IRO6wm8Vzq wnNRKL9k7wXhrudvl0ZQvDMpAYUuyrVMQjT6LPFViNGm14A0uucnNyFZCLki0t9k MZFpAS7yOlzi4cnjaOhy5YzGtU2RPPhSy6P/N+/Jj7Hiq5L9JAOMlQIomALbjclb WSBWgd3p16JQu9iHDOJV1m6Gdasgqsn1baKSx2PHkJDddQfqiqGZujhZkT7Osiqq 8auftxod/7X9vOGaWCNggou4ZHNUYxVKQCmtwK41FshtflhAzd7lnShe3fDksTGJ pdnFNnXVzymbOZh84o33+L8lSdq2aPHZUXAHmcH5hY3UV4MWxD0T1V/fHmAujVmJ MBmM7o0JafUaSLC+vmA/8BuQ3d4Flfzxc8wuUuGZFIQLjWxAihkss7oPzDo5Ign0 4L4d9siDJBhnrrVxTeN5O0Y+43A2B/ZWflV3rrI7623naVnLZVxK5fnk/qQQVkMJ 5oyqRyckUjJWOeUNH07z =0xtR -----END PGP SIGNATURE-----
Current thread:
- Re: Remote command injection in Ruby Gem kelredd-pruview 0.3.8 Kurt Seifried (Apr 12)