CVE-2014-4992

Vulnerability

The cap-strap gem version 0.1.5 for Ruby contains a vulnerability in lib/cap-strap/helpers.rb where the create_user method constructs a useradd command line that includes the password argument (-p). The password is passed directly as a parameter to the command, making it visible in the system process table to any local user who lists running processes. Additionally, the advisory notes that the same hard-coded salt 'sa' is used every time for the password crypt hash [1][2][3][4].

Exploitation

An attacker needs only local access to the system where the gem is executed. By running a process listing command (e.g., ps aux or viewing /proc//cmdline), the attacker can observe the full command line of any useradd process spawned by the gem, thereby capturing the plaintext password passed as the -p argument. No authentication or user interaction beyond local shell access is required [1][3][4].

Impact

Successful exploitation leads to disclosure of the password supplied to the create_user function. Since passwords are often reused or grant access to other resources, this is a direct compromise of confidentiality. The attacker gains no elevated privileges on the system itself, but may use the disclosed credential to authenticate as the affected user or to access external services where the same password is used [1][2][3].

Mitigation

The cap-strap gem version 0.1.5 is the only affected version. No fixed version has been released; the gem appears to be unmaintained. The recommended mitigation is to avoid using this gem, or to modify the source code to pass the password via a secure channel (e.g., stdin or a hashed value) rather than on the command line. There is no entry in the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2][3][4].