lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201303151417.r2FEHcV9019323@sf01web3.securityfocus.com>
Date: Fri, 15 Mar 2013 14:17:38 GMT
From: Larry0@...com
To: bugtraq@...urityfocus.com
Subject: MiniMagic ruby gem remote code execution

MiniMagic ruby gem remote code execution

3/12/2013

https://github.com/hcatlin/mini_magick

A ruby wrapper for ImageMagick or GraphicsMagick command line.

Tested on both Ruby 1.9.2 and Ruby 1.8.7.

If a URL is from an untrusted source, commands can be injected into it for remote code execution with the ; character.

image = MiniMagick::Image.open(remoteurl) image.resize "5x5"
image.format "gif"
image.write "localcopy.gif"

./hcatlin-mini_magick-1.3.1/lib/mini_magick.rb

Lines
172 command = "#{MiniMagick.processor} #{command} {args.join(' ')}".strip 173

174       if ::MiniMagick.use_subexec
175         sub = Subexec.run(command, :timeout => MiniMagick.timeout)
176         exit_status = sub.exitstatus
177         output = sub.output
178       else 
179         output = `{command} 2>&1`
180         exit_status = $?.exitstatus
181       end
The .strip will only remove whitespace from the beginning and end of the command.

Larry W. Cashdollar
@_larry0
http://vapid.dhs.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ