Title: Ruby Gem as-1.0 Password exposure
Date: 9/25/2014
Author: Larry W. Cashdollar, @_larry0
Download: http://rubygems.org/gems/as
Description: as-1.0 is a command line interface to automate deployment and management of servers for https://www.anotherservice.com/.
./as-1.0/lib/vmc/micro/vmrun.rb command = "-gu #{@user} -gp #{@password} runProgramInGuest" 2- args = '/usr/bin/test -e /var/vcap/micro/offline' 3- # why not use run_command? 4: result = %x{#{@vmrun} #{command} #{@vmx} #{args}} -6- if result.include?('Guest program exited with non-zero exit code: 1') 7- return falseĀ0- def ready? 1- command = "-gu root -gp 'ca$hc0w' runProgramInGuest" 2- args = '/usr/bin/test -e /var/vcap/micro/micro.json' 3: result = %x{#{@vmrun} #{command} #{@vmx} #{args}} 4- 5- if result.include?('Invalid user name or password for the guest OS') || $?.exitstatus == 06- return trueThis gem exposes users login credentials to the process table. If the as-1.0 software is used in the context of a gem or wrapped behind sudo it would be vulnerable to command injection as well.
./as-1.0/lib/vmc/micro.rb 7- def run_command(command, args=nil) - # TODO switch to using posix-spawn instead 9: result = %x{#{command} #{args} 2>&1} 0- unless $?.exitstatus == 0- if block_given? 2- yield