Vulnerability Report for Ruby Gem VladTheEnterprising-0.2

[larry0 () me com (Larry W. Cashdollar)]

Title: Vulnerability Report for Ruby Gem VladTheEnterprising-0.2

Author: Larry W. Cashdollar, @_larry0

Date: 06/01/2014

OSVDB: 108728

CVE:Please Assign

Download: http://rubygems.org/gems/VladTheEnterprising

Gem Author:  mlwelles () gmail com

From: ./VladTheEnterprising-0.2/lib/vlad/dba/mysql.rb

The mysql root password can be read out of /tmp/my.cnf.#{target_host} if a local user waits to read that after it is 
written and before it is removed in line 394.

It is also possible to clobber files owned by the  VladTheEnterprising user process via symlink attack because the 
my.cnf.#{target_host} doesn't have a randomly created filename.

If this Gem is used in the context of a rails application and the user is allowed to specify the target host command 
injection can occur at line 394 if special shell meta characters are injected like ; and &.

0384-      cnf << "host     = localhost\n"
385-      cnf << "user     = root\n"
386-      cnf << "password = #{mysql_root_password}\n"
387:      File.open("/tmp/my.cnf.#{target_host}", "w") do |file|
388-        file.write(cnf)
389-      end
390:      scp "/tmp/my.cnf.#{target_host}", ".my.cnf"
391-    end
392-
393-    remote_task :remove_dot_my_cnf, :roles => :new_slave do
394:      `rm /tmp/my.cnf.#{target_host}; exit 0`
395-      run "rm -f .my.cnf; exit 0"
396-    end
397-
--
599-           :mysql_err => "/var/log/mysql.err",
600-           :my_cnf => lambda { "/etc/mysql/conf.d/#{shortname}.cnf" },
601-           :my_src_cnf => lambda { "files/mysql/configs/#{shortname}.cnf" },
602:           :my_tmp_cnf => lambda { "/tmp/my.cnf-#{version}"},
603-           :my_dest_cnf => lambda { my_cnf },
604-           :mysql_config_nfs_copy => lambda { true },
605-           :mysql_config_copy => lambda {


Advisory: http://www.vapid.dhs.org/advisories/VladTheEnterprising-0.2.html