Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 12 Apr 2013 11:14:24 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Larry W. Cashdollar" <larry0@...com>
Subject: Re: Remote command injection in Ruby Gem kelredd-pruview
 0.3.8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/10/2013 01:14 PM, Larry W. Cashdollar wrote:
> 
> Remote command injection in Ruby Gem kelredd-pruview 0.3.8
> 
> ------------------------------------------------------------------------
>
>  Larry W. Cashdollar 4/4/2013 @_larry0
> 
> *Description*: "A gem to ease generating image previews
> (thumbnails) of various files."
> 
> https://rubygems.org/gems/kelredd-pruview
> 
> Remote commands can be executed if the file name contains shell
> meta characters.
> 
> ./kelredd-pruview-0.3.0/lib/pruview/document.rb
> 
> In the following code snippet, we see the user input isn't
> sanitized for shell metacharacters. A malicious file with special
> characters in the filename could be used to execute commands as the
> local user.
> 
> 69       run_system_command("convert -format jpg \"{source}[0]\"
> \"{@...pfile.path}\"", "Error processing postscript document") 85
> colorspace = run_system_command("identify #{GLOBAL_CMD_ARGS}
> -format \"%r\" #{image.path}", "Error reading document
> colorspace")
> 
> function run_system_comand() passes user supplied input to the
> command line.
> 
> 141     def run_system_command(command, error_message) 142
> output = `{command}` 143       raise "{error_message}: error given
> {$?}\n{output}" if $? != 0 144       return output 145     end
> 
> In kelredd-pruview-0.3.0/lib/pruview/video.rb: Also the video
> encoding and scaling features are vulnerable as well:
> 
> 27       run("#{FLVTOOL} -U #{target}", "Unable to add meta-data
> for #{target}.")
> 
> 51       run(build_command(@...rce, target, width, height,
> get_info(info_yml), scale_static), "Una    ble to convert
> #{@...rce} to #{target}.")
> 
> Run is defined as:
> 
> 140     def run(command, error_message = "Unknown error.") 141
> raise "Ffmpeg error: " + error_message + " - command: '#{command}'"
> if !system(command) 142     end
> 
> User controlled data is being sent to the command line with out
> any shell meta charatcers being escaped.
> 
> In kelredd-pruview-0.3.0/lib/pruview/video_image.rb:
> 
> 13       run(build_command(source, "-ss 00:00:#{duration * 0.1}",
> 'mjpeg', target), "Unable to get     preview image for #{target}")
> 
> 30 def self.build_command(source, time_str, format, target) 31
> command = %Q{#{Video::FFMPEG} -i "#{source}"} 32 command += "
> #{time_str}" 33 command += " -f #{format}" if !format.empty? 34
> command += " -an -y #{target}" 35 end
> 
> where function run() is defined as:
> 
> 37     def self.run(command, error_message = "Unknown error.") 38
> raise "Ffmpeg error: " + error_message + " - command: '#{command}'"
> if !system(command) 39     end
> 
> In line 38 user supplied data is passed to the command line. This
> vulnerability doesn't have a CVE assigned yet.
> 
> http://vapid.dhs.org/advisories/kelredd-pruview-cmd-inject.html
> 

Please use CVE-2013-1947 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRaEDvAAoJEBYNRVNeJnmTbNUP/RN999r1F5FLqP7598zcwJHi
VkCIeYTDYkBUd1k+RVqYmFZ0kdpUKu2vQQfn82AZyHK6uLkI8R0DWvYgjSLx0Dco
yL+xGwHGaDF++8k3DQqnAlRwRVk2TDn9AwEAkY3VN92cnb0myKbp2NNHdRTyLhMe
K1yYeWTgAiHdjkqDbbPdxcUqaZXjBto/AOE0Vb9lPP6PudSKpH1Cc1IRO6wm8Vzq
wnNRKL9k7wXhrudvl0ZQvDMpAYUuyrVMQjT6LPFViNGm14A0uucnNyFZCLki0t9k
MZFpAS7yOlzi4cnjaOhy5YzGtU2RPPhSy6P/N+/Jj7Hiq5L9JAOMlQIomALbjclb
WSBWgd3p16JQu9iHDOJV1m6Gdasgqsn1baKSx2PHkJDddQfqiqGZujhZkT7Osiqq
8auftxod/7X9vOGaWCNggou4ZHNUYxVKQCmtwK41FshtflhAzd7lnShe3fDksTGJ
pdnFNnXVzymbOZh84o33+L8lSdq2aPHZUXAHmcH5hY3UV4MWxD0T1V/fHmAujVmJ
MBmM7o0JafUaSLC+vmA/8BuQ3d4Flfzxc8wuUuGZFIQLjWxAihkss7oPzDo5Ign0
4L4d9siDJBhnrrVxTeN5O0Y+43A2B/ZWflV3rrI7623naVnLZVxK5fnk/qQQVkMJ
5oyqRyckUjJWOeUNH07z
=0xtR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ