Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Command injection bug patched in Ruby library for converting AsciiDoc files

Developers have patched a popular Ruby library for parsing and converting AsciiDoc files to safeguard servers against a newly discovered command injection vulnerability.

Command injection vulnerabilities allow an attacker to execute arbitrary operating system commands on the server that is running an application, typically resulting in the complete compromise of the application and all its data.

The Ruby library in question, asciidoctor-include-ext, is an extension for the Asciidoctor library which adds the ability to include remote URLs and local files into AsciiDoc documents. It was built to be an extensible library.

Piping malicious commands

Joern Schneeweisz, a security engineer at GitLab, discovered that he could force asciidoctor-include-ext to execute arbitrary commands by feeding crafted input strings to the tool.

“[asciidoctor-include-ext] made use of `open`/`IO.foreach` to include files and URLs. Both methods can be used to execute commands when you prepend a pipe symbol like `|some_command –some argument` to read from that command’s standard output instead of a file,” Schneeweisz told The Daily Swig.

A successful attack would provide an adversary with any rights given to the compromised process rendering the AsciiDoc file. The bug was given a critical 10.0 CVSS score.

“It’s a bit concerning as the vulnerability can be triggered in the normal rendering of asciidoctor documents which use this extension,” Schneeweisz said. “The exploit itself is easy enough, a sample has been published in the commit message for the fix.”

Decades-old vector

Interestingly, this class of vulnerability was first identified in 2015. At the time, security researcher Egor Homakov detailed in a blog post how Ruby wrapper libraries such as the ones used in asciidoctor-include-ext could be exploited for remote code execution (RCE) attacks.

“Ruby’s open-uri default behavior is very dangerous and prone to RCE bugs like this,” Homakov told The Daily Swig.

“It definitely should have been removed or split up into different functions e.g., openSystem (with pipe |), openURI (for URI) and openFile (for files) to remove ambiguity and security risk. I guess nobody cared enough to fix it. Such things stay ‘status quo’ until some very critical vulnerability is found to take an action.”

“I think the way of having a | [pipe] prepended to read a command instead of a file is just not too widely known behavior in those Ruby methods,” Schneeweisz said. “It’s easy to miss and also easy to exploit in most cases.”

Source: https://portswigger.net/daily-swig/command-injection-bug-patched-in-ruby-library-for-converting-asciidoc-files

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO