Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

MiniMagic ruby gem remote code execution
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 12 Mar 2013 23:06:38 +0000 (GMT)

MiniMagic ruby gem remote code execution

3/12/2013

https://github.com/hcatlin/mini_magick

A ruby wrapper for ImageMagick or GraphicsMagick command line.

Tested on both Ruby 1.9.2 and Ruby 1.8.7.

If a URL is from an untrusted source, commands can be injected into it for remote code execution with the ; character.

image = MiniMagick::Image.open(remoteurl) image.resize "5x5"
image.format "gif"
image.write "localcopy.gif"

./hcatlin-mini_magick-1.3.1/lib/mini_magick.rb

Lines

172 command = "#{MiniMagick.processor} #{command} {args.join(' ')}".strip 173

174       if ::MiniMagick.use_subexec
175         sub = Subexec.run(command, :timeout => MiniMagick.timeout)
176         exit_status = sub.exitstatus
177         output = sub.output
178 else 179 output = `{command} 2>&1`
180         exit_status = $?.exitstatus
181       end

The .strip will only remove whitespace from the beginning and end of the command.

Larry W. Cashdollar
@_larry0
http://vapid.dhs.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • MiniMagic ruby gem remote code execution Larry W. Cashdollar (Mar 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]