what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ruby Gem kelredd-pruview 0.3.8 Command Injection

Ruby Gem kelredd-pruview 0.3.8 Command Injection
Posted Apr 12, 2013
Authored by Larry W. Cashdollar

Ruby Gem kelredd-pruview version 0.3.8 suffers from a remote command injection vulnerability.

tags | exploit, remote, ruby
SHA-256 | dd1b24534bc513df316ed360fb139f228b8988566fe55fe24f004ec934cc9308

Ruby Gem kelredd-pruview 0.3.8 Command Injection

Change Mirror Download
Remote command injection in Ruby Gem kelredd-pruview 0.3.8

Larry W. Cashdollar
4/4/2013
@_larry0

Description: "A gem to ease generating image previews (thumbnails) of various files."

https://rubygems.org/gems/kelredd-pruview

Remote commands can be executed if the file name contains shell meta characters.

./kelredd-pruview-0.3.0/lib/pruview/document.rb

In the following code snippet, we see the user input isn't sanitized for shell metacharacters. A malicious file with special characters in the filename could be used to execute commands as the local user.

69 run_system_command("convert -format jpg \"{source}[0]\" \"{@tempfile.path}\"", "Error processing postscript document")
85 colorspace = run_system_command("identify #{GLOBAL_CMD_ARGS} -format \"%r\" #{image.path}", "Error reading document colorspace")

function run_system_comand() passes user supplied input to the command line.

141 def run_system_command(command, error_message)
142 output = `{command}`
143 raise "{error_message}: error given {$?}\n{output}" if $? != 0
144 return output
145 end

In kelredd-pruview-0.3.0/lib/pruview/video.rb: Also the video encoding and scaling features are vulnerable as well:

27 run("#{FLVTOOL} -U #{target}", "Unable to add meta-data for #{target}.")

51 run(build_command(@source, target, width, height, get_info(info_yml), scale_static), "Una ble to convert #{@source} to #{target}.")

Run is defined as:

140 def run(command, error_message = "Unknown error.")
141 raise "Ffmpeg error: " + error_message + " - command: '#{command}'" if !system(command)
142 end

User controlled data is being sent to the command line with out any shell meta charatcers being escaped.

In kelredd-pruview-0.3.0/lib/pruview/video_image.rb:

13 run(build_command(source, "-ss 00:00:#{duration * 0.1}", 'mjpeg', target), "Unable to get preview image for #{target}")

30 def self.build_command(source, time_str, format, target) 31 command = %Q{#{Video::FFMPEG} -i "#{source}"} 32 command += " #{time_str}" 33 command += " -f #{format}" if !format.empty? 34 command += " -an -y #{target}" 35 end

where function run() is defined as:

37 def self.run(command, error_message = "Unknown error.")
38 raise "Ffmpeg error: " + error_message + " - command: '#{command}'" if !system(command)
39 end

In line 38 user supplied data is passed to the command line.
This vulnerability doesn't have a CVE assigned yet.

https://vapid.dhs.org/advisories/kelredd-pruview-cmd-inject.html
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close