Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: Ruby 1.8, modify a variable via NameError despite SAFE 4

October 2012 by Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

When a Ruby 1.8 application allows an external code to be executed
in SAFE 4 mode, it can use NameError, in order to modify a
variable of the application.

 Impacted products: Unix (platform)
 Severity: 2/4
 Creation date: 08/10/2012

DESCRIPTION OF THE VULNERABILITY

The security level "$SAFE = 4" limits features that the Ruby code
is allowed to use. For example, in SAFE 4 mode, a Rudy code is not
allowed to modify a tainted (internal) string. The SAFE4 mode is
usually used to execute code coming from an untrusted source, such
as a plugin.

A NameError can be converted to a string. For example:
Exception.new($variable).to_s
However, this function automatically taints the variable with
OBJ_INFECT(). As the variable becomes tainted, the SAFE 4 mode
does not forbid its modification.

This vulnerability only impacts Ruby 1.8. It is similar to
VIGILANCE-VUL-11993 (https://vigilance.fr/tree/1/11993), but its
origin is a variant of CVE-2011-1005 (VIGILANCE-VUL-10383
(https://vigilance.fr/tree/1/10383)).

When a Ruby 1.8 application allows an external code to be executed
in SAFE 4 mode, it can therefore use NameError, in order to modify
a variable of the application. Depending on the modified variable,
the application can then be forced to perform unwanted tasks.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/Ruby-1-8-modify-a-variable-via-NameError-despite-SAFE-4-12003


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts