-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pdf2ruby utility code injection vulnerability #25
Comments
Wow, awesome work @bcoles! Wasn't expecting an RCE! I think this is important to fix, especially because this library is used by security researchers. You don't want to run this script on your laptop and risk having all your private data stolen, among other things. |
Just confirming that I've tested this PDF in my app, and there's no RCE if you're just using the actual Origami library:
|
That makes sense. This issue was identified while manually reviewing the utilities - not as a result of fuzzing. |
Also worth noting that
|
Thank you for submitting this issue. The problem lies in the This script is just an experimental thing I had written a long time ago, but it is largely broken for multiple reasons and I doubt there is any real world scenario where it could be of any use. Code execution could also be achieved with string interpolation by the way. Are you depending on this script for some reason? If not, I think I am just going to strip it out of the repository (there's no point in maintaining something useless and insecure). |
Hi @gdelugre I'm not dependent on this script, nor Origami for that matter. I recently did some fuzzing of the pdf-reader Ruby gem. @ndbroadbent asked me to take a look at Origami. During the process of fuzzing, I identified some issues which I wanted to verify by reproducing the issues outside of the fuzzer. To verify, rather than write a loader, I used the existing Regarding string interpolation, I tried, however it failed as |
Hi @gdelugre, I'm also not depending on the |
Should be fixed by 1ef83a8 |
Looks like that fixed it. Parameters are escaped. |
Fixed as of 2.0.4 |
The experimental
pdf2ruby
utility takes a user-specified PDF file as input and generates an Origami ruby script which can be used to rebuild an equivalent PDF document.It's possible to craft a PDF for input such that the generated ruby code contains malicious operating system commands. The commands will be executed if the user runs the generated code.
The following malicious PDF document demonstrates this issue.
Note that the
/foo
parameter value contains a string concatenated with operating system commands (anetcat
bind shell on port 1337) enclosed in backticks.The operating system commands must be hex encoded as several characters (such as
and
/
) prevent successful injection.Running the
pdf2ruby
utility on the above malicious PDF is successful and generates no warnings or errors, as shown below:The generated code is shown below:
Note the value of the
:foo
key contains the hex encoded operating system commands surrounded by backticks.The output below shows execution of the generated ruby code resulting in execution of the
netcat
bind shell:The text was updated successfully, but these errors were encountered: