Vigil@nce - Ruby: call to DL/Fiddle in SAFE mode
May 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When Ruby is in $SAFE mode, a DL/Fiddle function can be called on
a tainted variable, which can lead to code execution.
– Impacted products: Slackware, Unix (platform)
– Severity: 2/4
– Creation date: 14/05/2013
DESCRIPTION OF THE VULNERABILITY
The $SAFE variable indicates the security level to apply on the
Ruby code. When $SAFE is greater than zero, tainted variables
(which are external) cannot be used by sensitive features.
The DL and Fiddle modules of Ruby, are used to create new Ruby
functions with dlopen(). However, these new functions are allowed
to work on tainted variables.
When Ruby is in $SAFE mode, a DL/Fiddle function can therefore be
called on a tainted variable, which can lead to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Ruby-call-to-DL-Fiddle-in-SAFE-mode-12799