Command injection in Ruby Gem Webbynode 1.0.5.3

["Larry W. Cashdollar" <larry0 () me com>]

Command injection in Ruby Gem Webbynode 1.0.5.3

Date: 11/11/2014 

Author: Larry W. Cashdollar, @_larry0

Download: http://rubygems.org/gems/webbynode 

Vulnerability Description: 
The following code located in: ./webbynode-1.0.5.3/lib/webbynode/notify.rb doesn't fully sanitize user supplied input 
before passing it to the shell via %x.

Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell 
meta characters.

def self.message(message)
 if self.installed? and !$testing
   message = message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "")
   %x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}")
 end
end

The message.gsub regex strips ANSI encoded characters from the #{message} variable, it doesn't strip characters like 
;&| etc. If the attacker can control the contents of #{message}, #{TITLE} or #{IMAGE_PATH} they can possibly inject 
shell commands and execute them as the client user.


Vendor: Notified 11/11/2013

I also submitted a pull request 

Advisory: http://www.vapid.dhs.org/advisories/webbynode-command-inj.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/