lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <8D3B4D08-1E5C-4324-9FA0-71C0C4DE3424@me.com>
Date: Fri, 18 Apr 2014 08:41:49 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: bugtraq@...urityfocus.com
Subject: Remote Command Injection in Ruby Gem sfpagent 0.4.14

Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14

Date: 4/15/2014

Author: Larry W. Cashdollar, @_larry0

CVE: 2014-2888

Download: http://rubygems.org/gems/sfpagent

Vulnerability
The list variable generated from the user supplied JSON[body] input is passed directly to the system() shell on line 649. If a user supplies a module name with shell metacharacters like ; they might be able to execute shell commands on the remote system as the sfpagent running user id.

>From sfpagent-0.4.14/lib/sfpagent/bsig.rb:

637                         code, body = get_data(address, port, '/modules')
638                         raise Exception, "Unable to get modules list from {name}" if code.to_i != 200
639 
640                         modules = JSON[body]
641                         list = ''
642                         schemata.each { |m|
643                                 list += "{m} " if File.exist?("{modules_dir}/{m}") and
644                                                    (not modules.has_key?(m) or modules[m] != get_local_module_hash(m, modules_dir).to_s)
645                         }
646 
647                         return true if list == ''
648 
649                         if system("cd #{modules_dir}; #{install_module} #{address} #{port} #{list} 1>/dev/null 2>/tmp/install_module.error")
650                                 Sfp::Agent.logger.info "Push modules #{list}to #{name} [OK]"
651                         else
652                                 Sfp::Agent.logger.warn "Push modules #{list}to #{name} [Failed]"
653                         end
654 
655                         return true

Vendor: Notified 4/15/14. Version 0.4.15 fixes this issue.

Advisory: http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ