| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <cbf57786-c3d9-42c0-b962-9ff042ddb6d3@me.com>
Date: Tue, 12 Mar 2013 23:06:38 +0000 (GMT)
From: "Larry W. Cashdollar" <larry0@...com>
To: full <full-disclosure@...ts.grok.org.uk>
Subject: MiniMagic ruby gem remote code execution
MiniMagic ruby gem remote code execution
3/12/2013
https://github.com/hcatlin/mini_magick
A ruby wrapper for ImageMagick or GraphicsMagick command line.
Tested on both Ruby 1.9.2 and Ruby 1.8.7.
If a URL is from an untrusted source, commands can be injected into it for remote code execution with the ; character.
image = MiniMagick::Image.open(remoteurl) image.resize "5x5"
image.format "gif"
image.write "localcopy.gif"
./hcatlin-mini_magick-1.3.1/lib/mini_magick.rb
Lines
172 command = "#{MiniMagick.processor} #{command} {args.join(' ')}".strip 173
174 if ::MiniMagick.use_subexec
175 sub = Subexec.run(command, :timeout => MiniMagick.timeout)
176 exit_status = sub.exitstatus
177 output = sub.output
178 else
179 output = `{command} 2>&1`
180 exit_status = $?.exitstatus
181 end
The .strip will only remove whitespace from the beginning and end of the command.
Larry W. Cashdollar
@_larry0
http://vapid.dhs.org
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists