==================================================================== CERT-Renater Note d'Information No. 2012/VULN416 ____________________________________________________________________ DATE : 16/10/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Ruby versions 1.9.3 prior to patchlevel 286, development branches of Ruby versions 2.0.0 prior to revision r37163. ====================================================================== http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/ http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/ ______________________________________________________________________ Unintentional file creation caused by inserting a illegal NUL character (CVE-2012-4522) A vulnerability was found that file creation routines can create unintended files by strategically inserting NUL(s) in file paths. This vulnerability has been reported as CVE-2012-4522. Details Ruby can handle arbitrary binary patterns as Strings, including NUL chars. On the other hand OSes and other libraries tend not. They usually treat a NUL as an End of String mark. So to interface them with Ruby, NUL chars should properly be avoided. However methods like IO#open did not check the filename passed to them, and just passed those strings to lower layer routines. This led to create unintentional files like this: p File.exists?("foo") #=> false open("foo\0bar", "w") { |f| f.puts "hai" } p File.exists?("foo") #=> true p File.exists?("foo\0bar") #=> raises ArgumentError Affected versions All Ruby 1.9.3 prior tp patchlevel 286 All development branches of Ruby 2.0.0 prior to revision r37163 Solution Upgrade to a latest version. Credit This issue was reported by Peter Bex. Updates Added a mention about CVE number at 2012-10-16 08:58:51 JST. Originally published at 2012-10-12 19:19:55 JST. ______________________________________________________________________ $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) Vulnerabilities found for Exception#to_s, NameError#to_s, and name_err_mesg_to_s() which is Ruby interpreter-internal API. A malicious user code can bypass $SAFE check by utilizing one of those security holes. Details Ruby's $SAFE mechanism enables untrusted user codes to run in $SAFE >= 4 mode. This is a kind of sandboxing so some operations are restricted in that mode to protect other data outside the sandbox. The problem found was around this mechanism. Exception#to_s, NameError#to_s, and name_err_mesg_to_s() interpreter-internal API was not correctly handling the $SAFE bits so a String object which is not tainted can destructively be marked as tainted using them. By using this an untrusted code in a sandbox can modify a formerly-untainted string destructively. Ruby 1.8 once had a similar security issue. It fixed Exception#to_s and NameError#to_s, but name_err_mesg_to_str() issue survived previous security fix. Affected versions all Ruby 1.8.7 prior to patchlevel 371 all Ruby 1.9.3 prior to patchlevel 286 all development branches of Ruby 2.0 prior to revision r37068 Solution Upgrade to a latest version. Credit This vulnerability was found by Tyler Hickes. Updates Originally published at 2012-10-12 19:17:50 JST. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================