Command Injection Affecting discordrb package, versions <3.5.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-DISCORDRB-5291534
- published 28 Mar 2023
- disclosed 28 Mar 2023
- credit Erik Krogh Kristensen
Introduced: 28 Mar 2023
CVE-2023-28102 Open this link in a new tabHow to fix?
Upgrade discordrb to version 3.5.0 or higher.
Overview
Affected versions of this package are vulnerable to Command Injection such that the encoder.rb file unsafely constructs a shell string using the file parameter, which can potentially leave clients of discordrb vulnerable to command injection.
Note: The library is not directly exploitable: the exploit requires that some client of the library calls the vulnerable method with user input. However, if unsafe input reaches the library method, then an attacker can execute arbitrary shell commands on the host machine. Full impact will depend on the permissions of the process running the discordrb library and will likely not be total system access.
PoC
```
This is how the PoC would be if you setup discordrb.
require 'discordrb'
bot = Discordrb::Voice::Encoder.new
bot.encode_file(touch pwned)
ffmpeg_command = "foo" # unrelated options = "" # unrelated filter_volume_argument = "bar" # unrelated
Command that will be executed
file = "touch pwned"
This command should be build as an array instead of a string, that way injection would be impossible!
command = "#{ffmpeg_command} -loglevel 0 -i "#{file}" #{options} -f s16le -ar 48000 -ac 2 #{filter_volume_argument} pipe:1" IO.popen(command) ```