Mageia Bugzilla – Attachment 11433 Details for
Bug 25564
ruby new security issues CVE-2019-15845, CVE-2019-16201, CVE-2019-1625[45]
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
PoC and gem tests for ruby
report.25897 (text/plain), 4.40 KB, created by
Len Lawrence
on 2019-12-25 01:31:22 CET
(
hide
)
Description:
PoC and gem tests for ruby
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2019-12-25 01:31:22 CET
Size:
4.40 KB
patch
obsolete
>Some PoC tests are supplied at the URLs indicated. > >*Before* > >CVE-2019-15845 >https://hackerone.com/reports/449617 >The interactive tests show true or false as reported upstream. > >CVE-2019-16201 >https://hackerone.com/reports/661722 >Started the test server supplied at that address: >$ ruby poc_server.rb >[2019-12-24 18:35:08] INFO WEBrick 1.4.2 >[2019-12-24 18:35:08] INFO ruby 2.5.3 (2018-10-18) [x86_64-linux] >[2019-12-24 18:35:08] INFO WEBrick::HTTPServer#start: pid=12536 port=8000 >In another terminal: >$ time curl -I --header 'Authorization: Digest a="\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b' http://localhost:8000 > >This returned after a while..... > >HTTP/1.1 400 Bad Request >Content-Type: text/html; charset=ISO-8859-1 >Server: WEBrick/1.4.2 (Ruby/2.5.3/2018-10-18) >Date: Tue, 24 Dec 2019 18:38:12 GMT >Content-Length: 291 >Connection: close >real 0m7.324s >user 0m0.010s >sys 0m0.005s > >A longer attack string (adding \b multiple times) would take longer to evaluate, leading to a DOS. > >CVE-2019-16254 >This refers back to the same issue in CVE-2017-17742 which had not been completely fixed. > >CVE-2019-16255 >https://hackerone.com/reports/327512 >Command injection is possible: >$ irb >irb(main):001:0> `ls xy` >ls: cannot access 'xy': No such file or directory >=> "" >irb(main):002:0> require 'shell' >=> true >irb(main):003:0> sh = Shell.new >=> #<Shell:0x0000000000ab9b18> >irb(main):004:0> sh['system', '$(touch xy)'] >sh: /data/qa/ruby/: Is a directory >=> false >irb(main):005:0> `ls xy` >=> "xy\n" >irb(main):006:0> ><There was some discussion at this point - could not follow> >irb(main):006:0> sh['instance_eval', '.match (puts "z")'] >Traceback (most recent call last): > 5: from /usr/bin/irb:11:in `<main>' > 4: from (irb):6 > 3: from /usr/share/ruby/shell/command-processor.rb:595:in `[]' > 2: from /usr/share/ruby/shell/command-processor.rb:186:in `test' > 1: from /usr/share/ruby/shell/command-processor.rb:186:in `instance_eval' >SyntaxError ((eval):1: unknown regexp options - qa) >(eval):1: syntax error, unexpected '.' >/data/qa/ruby/.match (puts "z") > ^ >irb(main):007:0> > >*Afterwards* > >CVE-2019-15845 >Repeated the interactive tests referred to earlier and in all cases the nul bytes were detected and an Argument Error returned. >Good result. > >CVE-2019-16201 >Restarted the WEBrick server then: >$ time curl -I --header 'Authorization: Digest a="\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b' http://localhost:8000 >HTTP/1.1 400 Bad Request >Content-Type: text/html; charset=ISO-8859-1 >Server: WEBrick/1.4.2 (Ruby/2.5.7/2019-10-01) >Date: Tue, 24 Dec 2019 23:44:55 GMT >Content-Length: 291 >Connection: close > >real 0m0.005s >user 0m0.002s >sys 0m0.002s > >Immediate return, so the vulnerability has been squashed. > >CVE-2019-16255 >$ irb >irb(main):001:0> require 'shell' >=> true >irb(main):002:0> sh = Shell.new >=> #<Shell:0x00000000013aef48> >irb(main):003:0> sh['system', '$(touch xy)'] >Traceback (most recent call last): > 4: from /usr/bin/irb:11:in `<main>' > 3: from (irb):3 > 2: from /usr/share/ruby/shell/command-processor.rb:598:in `[]' > 1: from /usr/share/ruby/shell/command-processor.rb:184:in `test' >RuntimeError (unsupported command: system) >irb(main):004:0> sh['instance_eval', '.match (puts "z")'] >Traceback (most recent call last): > 4: from /usr/bin/irb:11:in `<main>' > 3: from (irb):4 > 2: from /usr/share/ruby/shell/command-processor.rb:598:in `[]' > 1: from /usr/share/ruby/shell/command-processor.rb:184:in `test' >RuntimeError (unsupported command: instance_eval) > >Good result. > >So those three CVEs have been fixed. > >$ gem list >*** LOCAL GEMS *** > >activesupport (5.2.3) >archive-zip (0.12.0) >astro_moon (0.2) >atk (3.3.1) >bigdecimal (1.4.4) >cairo (1.16.4, 1.16.2) >cairo-gobject (3.3.1) >coderay (1.1.2) >concurrent-ruby (1.1.5) >did_you_mean (1.2.0) >[...] >tk (0.2.0) >tty-screen (0.7.0) >tzinfo (1.2.5) >unicode-display_width (1.6.0) >xmlrpc (0.3.0) >yard (0.9.20) > >$ sudo gem install nokogiri >Fetching: mini_portile2-2.4.0.gem (100%) >Successfully installed mini_portile2-2.4.0 >Fetching: nokogiri-1.10.7.gem (100%) >Building native extensions. This could take a while... >Successfully installed nokogiri-1.10.7 >Parsing documentation for mini_portile2-2.4.0 >Installing ri documentation for mini_portile2-2.4.0 >Parsing documentation for nokogiri-1.10.7 >Installing ri documentation for nokogiri-1.10.7 >Done installing documentation for mini_portile2, nokogiri after 1 seconds >2 gems installed >
Some PoC tests are supplied at the URLs indicated. *Before* CVE-2019-15845 https://hackerone.com/reports/449617 The interactive tests show true or false as reported upstream. CVE-2019-16201 https://hackerone.com/reports/661722 Started the test server supplied at that address: $ ruby poc_server.rb [2019-12-24 18:35:08] INFO WEBrick 1.4.2 [2019-12-24 18:35:08] INFO ruby 2.5.3 (2018-10-18) [x86_64-linux] [2019-12-24 18:35:08] INFO WEBrick::HTTPServer#start: pid=12536 port=8000 In another terminal: $ time curl -I --header 'Authorization: Digest a="\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b' http://localhost:8000 This returned after a while..... HTTP/1.1 400 Bad Request Content-Type: text/html; charset=ISO-8859-1 Server: WEBrick/1.4.2 (Ruby/2.5.3/2018-10-18) Date: Tue, 24 Dec 2019 18:38:12 GMT Content-Length: 291 Connection: close real 0m7.324s user 0m0.010s sys 0m0.005s A longer attack string (adding \b multiple times) would take longer to evaluate, leading to a DOS. CVE-2019-16254 This refers back to the same issue in CVE-2017-17742 which had not been completely fixed. CVE-2019-16255 https://hackerone.com/reports/327512 Command injection is possible: $ irb irb(main):001:0> `ls xy` ls: cannot access 'xy': No such file or directory => "" irb(main):002:0> require 'shell' => true irb(main):003:0> sh = Shell.new => #<Shell:0x0000000000ab9b18> irb(main):004:0> sh['system', '$(touch xy)'] sh: /data/qa/ruby/: Is a directory => false irb(main):005:0> `ls xy` => "xy\n" irb(main):006:0> <There was some discussion at this point - could not follow> irb(main):006:0> sh['instance_eval', '.match (puts "z")'] Traceback (most recent call last): 5: from /usr/bin/irb:11:in `<main>' 4: from (irb):6 3: from /usr/share/ruby/shell/command-processor.rb:595:in `[]' 2: from /usr/share/ruby/shell/command-processor.rb:186:in `test' 1: from /usr/share/ruby/shell/command-processor.rb:186:in `instance_eval' SyntaxError ((eval):1: unknown regexp options - qa) (eval):1: syntax error, unexpected '.' /data/qa/ruby/.match (puts "z") ^ irb(main):007:0> *Afterwards* CVE-2019-15845 Repeated the interactive tests referred to earlier and in all cases the nul bytes were detected and an Argument Error returned. Good result. CVE-2019-16201 Restarted the WEBrick server then: $ time curl -I --header 'Authorization: Digest a="\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b' http://localhost:8000 HTTP/1.1 400 Bad Request Content-Type: text/html; charset=ISO-8859-1 Server: WEBrick/1.4.2 (Ruby/2.5.7/2019-10-01) Date: Tue, 24 Dec 2019 23:44:55 GMT Content-Length: 291 Connection: close real 0m0.005s user 0m0.002s sys 0m0.002s Immediate return, so the vulnerability has been squashed. CVE-2019-16255 $ irb irb(main):001:0> require 'shell' => true irb(main):002:0> sh = Shell.new => #<Shell:0x00000000013aef48> irb(main):003:0> sh['system', '$(touch xy)'] Traceback (most recent call last): 4: from /usr/bin/irb:11:in `<main>' 3: from (irb):3 2: from /usr/share/ruby/shell/command-processor.rb:598:in `[]' 1: from /usr/share/ruby/shell/command-processor.rb:184:in `test' RuntimeError (unsupported command: system) irb(main):004:0> sh['instance_eval', '.match (puts "z")'] Traceback (most recent call last): 4: from /usr/bin/irb:11:in `<main>' 3: from (irb):4 2: from /usr/share/ruby/shell/command-processor.rb:598:in `[]' 1: from /usr/share/ruby/shell/command-processor.rb:184:in `test' RuntimeError (unsupported command: instance_eval) Good result. So those three CVEs have been fixed. $ gem list *** LOCAL GEMS *** activesupport (5.2.3) archive-zip (0.12.0) astro_moon (0.2) atk (3.3.1) bigdecimal (1.4.4) cairo (1.16.4, 1.16.2) cairo-gobject (3.3.1) coderay (1.1.2) concurrent-ruby (1.1.5) did_you_mean (1.2.0) [...] tk (0.2.0) tty-screen (0.7.0) tzinfo (1.2.5) unicode-display_width (1.6.0) xmlrpc (0.3.0) yard (0.9.20) $ sudo gem install nokogiri Fetching: mini_portile2-2.4.0.gem (100%) Successfully installed mini_portile2-2.4.0 Fetching: nokogiri-1.10.7.gem (100%) Building native extensions. This could take a while... Successfully installed nokogiri-1.10.7 Parsing documentation for mini_portile2-2.4.0 Installing ri documentation for mini_portile2-2.4.0 Parsing documentation for nokogiri-1.10.7 Installing ri documentation for nokogiri-1.10.7 Done installing documentation for mini_portile2, nokogiri after 1 seconds 2 gems installed
View Attachment As Raw
Actions:
View
Attachments on
bug 25564
: 11433