Command Injection Affecting discordrb package, versions <3.5.0


0.0
high

Snyk CVSS

    Attack Complexity High
    User Interaction Required
    Scope Changed
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.08% (34th percentile)
Expand this section
NVD
9.6 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-DISCORDRB-5291534
  • published 28 Mar 2023
  • disclosed 28 Mar 2023
  • credit Erik Krogh Kristensen

How to fix?

Upgrade discordrb to version 3.5.0 or higher.

Overview

Affected versions of this package are vulnerable to Command Injection such that the encoder.rb file unsafely constructs a shell string using the file parameter, which can potentially leave clients of discordrb vulnerable to command injection.

Note: The library is not directly exploitable: the exploit requires that some client of the library calls the vulnerable method with user input. However, if unsafe input reaches the library method, then an attacker can execute arbitrary shell commands on the host machine. Full impact will depend on the permissions of the process running the discordrb library and will likely not be total system access.

PoC

```

This is how the PoC would be if you setup discordrb.

require 'discordrb'

bot = Discordrb::Voice::Encoder.new

bot.encode_file(touch pwned)

ffmpeg_command = "foo" # unrelated options = "" # unrelated filter_volume_argument = "bar" # unrelated

Command that will be executed

file = "touch pwned"

This command should be build as an array instead of a string, that way injection would be impossible!

command = "#{ffmpeg_command} -loglevel 0 -i "#{file}" #{options} -f s16le -ar 48000 -ac 2 #{filter_volume_argument} pipe:1" IO.popen(command) ```

References