Vulnerability Report for Ruby Gem gnms-2.1.1

[larry0 () me com (Larry W. Cashdollar)]

Title: Vulnerability Report for Ruby Gem gnms-2.1.1

Author: Larry W. Cashdollar, @_larry0

Date: 06/01/2014

OSVDB: 108594

CVE:Please Assign

Download: http://rubygems.org/gems/gnms

Gem Author:  david.maciejak () gmail com

From: ./gnms-2.1.1/lib/cmd_parse.rb

The #{ip} variable isn't properly sanitized and can lead to remote command injection if a malicious user specifies an 
IP address with shell meta characters like ; and &. 

0Command injection via #{ip} in ping and other functions.
147-    lp=""
148-    nmap_version = $config.nmap_vers.to_f()
149-    if nmap_version >= 6.0 
150:      lp=`#{$config.nmap_path} -sU -sT #{ip} --host_timeout 60 2>/dev/null| grep open | grep "^[0-9]"`
151-    else
152-      if nmap_version > 0.0
153:        lp=`#{$config.nmap_path} -sU -sT #{ip} --host_timeout 60000 2>/dev/null| grep open | grep "^[0-9]"`
154-      end
155-    end
177-# Return mac adress of the ip if in local arp table
178-#
179-def mac_tablelocal(ip)
180:        `ping -c 1 -W 1 #{ip}`
181:    lp=`arp -n #{ip} | grep #{ip} | awk {print $3;}`
182-    #there is no entry
183-    if lp.chomp == "--"
184-      lp=""
232-def ping (ip)
233:    pip=`#{$config.ping_path} #{ip} -c 1 -n -W 4 2>/dev/null | grep ^64`
234-    return pip!=""
235-end


Advisory: http://www.vapid.dhs.org/advisories/gnms-2.1.1.html