9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.144 Low
EPSS
Percentile
95.1%
When parsing a gem POSTed to the /api/v1/gems
endpoint, the rubygems.org application immediately calls Gem::Package.new(body).spec
inside app/models/pusher.rb
. The authors of the application correctly observed that parsing untrusted YAML is dangerous (since it can serialize more or less arbitrary objects), so they monkey-patched the spec parser to use Psych.safe_load
set from config/initializers/forbidden_yaml.rb
.
However, YAML.load
is called directly when parsing the gem’s checksum file in Gem::Package#read_checksums
. Using classes accessible within the application, I was able to turn this into a call to Marshal.load
on attacker-controlled data. From there, I was able to use known Marshal exploitation techniques to achieve code execution on the server (I’m omitting some details here for brevity so that I can submit this report right away).
A proof of concept, poc.gem
, is attached. Run the exploit with the following command:
cat poc.gem | curl -H 'Content-Type: application/gzip' --data-binary @- -H 'Authorization: █████' https://rubygems.org/api/v1/gems
I ran the attached PoC twice. It just does a wget
to my server.
Please let me know if I should clarify anything! Thanks for running this program.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.144 Low
EPSS
Percentile
95.1%