Title: Vulnerability Report for Ruby Gem VladTheEnterprising-0.2

Author: Larry W. Cashdollar, @_larry0

Date: 06/01/2014

OSVDB: 108728

CVE:Please Assign

Download: http://rubygems.org/gems/VladTheEnterprising

Gem Author: mlwelles[at]gmail.com

Author Contacted:6/25/2014

From: ./VladTheEnterprising-0.2/lib/vlad/dba/mysql.rb

The mysql root password can be read out of /tmp/my.cnf.#{target_host} if a local user waits to read that after it is written and before it is removed in line 394.

It is also possible to clobber files owned by the VladTheEnterprising user process via symlink attack because the my.cnf.#{target_host} doesn't have a randomly created filename.

If this Gem is used in the context of a rails application and the user is allowed to specify the target host command injection can occur at line 394 if special shell meta characters are injected like ; and &.

0384-      cnf << "host     = localhost\n"
385-      cnf << "user     = root\n"
386-      cnf << "password = {mysql_root_password}\n"
387:      File.open("/tmp/my.cnf.{target_host}", "w") do |file|
388-        file.write(cnf)
389-      end
390:      scp "/tmp/my.cnf.#{target_host}", ".my.cnf"

391- end
392-
393- remote_task :remove_dot_my_cnf, :roles => :new_slave do

394:      `rm /tmp/my.cnf.#{target_host}; exit 0`
395-      run "rm -f .my.cnf; exit 0"

396- end
397-
--

599-           :mysql_err => "/var/log/mysql.err",
600-           :my_cnf => lambda { "/etc/mysql/conf.d/{shortname}.cnf" },
601-           :my_src_cnf => lambda { "files/mysql/configs/{shortname}.cnf" },
602:           :my_tmp_cnf => lambda { "/tmp/my.cnf-#{version}"},
603-           :my_dest_cnf => lambda { my_cnf },
604-           :mysql_config_nfs_copy => lambda { true },
605-           :mysql_config_copy => lambda {

Advisory: http://www.vapid.dhs.org/advisories/VladTheEnterprising-0.2.html