Lucene search
Ooooooo_qH1:302997HistoryJan 07, 2018 - 9:18 a.m.
Ruby: Unix domain socket and a path containing a null character
2018-01-0709:18:54
ooooooo_q
hackerone.com
$500
57
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
68.8%
Some methods on UNIX domain socket are not checked for null characters.
[vagrant@localhost ~]$ ls /tmp
[vagrant@localhost ~]$ irb
irb(main):001:0> require 'socket'
=> true
irb(main):002:0> UNIXServer.open("/tmp/socket\0ruby") {|serv|
irb(main):003:1* c = UNIXSocket.open("/tmp/socket\0sapphire")
irb(main):004:1> s = serv.accept
irb(main):005:1> s.write "from server"
irb(main):006:1> c.write "from client"
irb(main):007:1> p c.recv(20)
irb(main):008:1> p s.recv(20)
irb(main):009:1> }
"from server"
"from client"
=> "from client"
irb(main):010:0> UNIXServer.open("/tmp/socket2") {|serv|
irb(main):011:1* c = Socket.unix("/tmp/socket2\0emerald")
irb(main):012:1> s = serv.accept
irb(main):013:1> s.write "from server"
irb(main):014:1> p c.recv(20)
irb(main):015:1> }
"from server"
=> "from server"
# safe
irb(main):016:0> Socket.unix_server_loop("/tmp/socket3\0yellow")
Traceback (most recent call last):
5: from /home/vagrant/.rbenv/versions/2.5.0/bin/irb:11:in `<main>'
4: from (irb):16
3: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/socket.rb:1163:in `unix_server_loop'
2: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/socket.rb:1108:in `unix_server_socket'
1: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/socket.rb:1108:in `lstat'
ArgumentError (path name contains null byte)
irb(main):017:0> Socket.unix_server_socket("/tmp/socket3\0yellow")
Traceback (most recent call last):
4: from /home/vagrant/.rbenv/versions/2.5.0/bin/irb:11:in `<main>'
3: from (irb):17
2: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/socket.rb:1108:in `unix_server_socket'
1: from /home/vagrant/.rbenv/versions/2.5.0/lib/ruby/2.5.0/socket.rb:1108:in `lstat'
ArgumentError (path name contains null byte)
Impact
It may be connected to an unintended socket.
Related
redhatcve
redhatcve
CVE-2018-8779
2020-04-08 21:12:22
prion
prion
Design/Logic Flaw
2018-04-03 22:29:00
cve
cve
CVE-2018-8779
2018-04-03 22:29:00
veracode
veracode
NULL Byte Injection
2019-05-16 03:22:57
alpinelinux
alpinelinux
CVE-2018-8779
2018-04-03 22:29:00
osv
osv
CVE-2018-8779
2018-04-03 22:29:00
ruby1.8 - security update
2018-04-23 00:00:00
ruby1.9.1 - security update
2018-04-23 00:00:00
cvelist
cvelist
CVE-2018-8779
2018-04-03 22:00:00
ubuntucve
ubuntucve
CVE-2018-8779
2018-04-03 00:00:00
debiancve
debiancve
CVE-2018-8779
2018-04-03 22:29:00
nessus
nessus
Ubuntu 14.04 LTS / 16.04 LTS : Ruby vulnerabilities (USN-3626-1)
2023-10-20 00:00:00
EulerOS 2.0 SP2 : ruby (EulerOS-SA-2018-1206)
2018-07-03 00:00:00
EulerOS Virtualization 2.5.1 : ruby (EulerOS-SA-2018-1275)
2018-09-18 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-3626-1)
2018-10-26 00:00:00
Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1275)
2020-01-23 00:00:00
Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1206)
2020-01-23 00:00:00
ubuntu
ubuntu
Ruby vulnerabilities
2018-04-16 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: ruby-2.5.1-92.fc28
2018-04-15 02:45:12
[SECURITY] Fedora 26 Update: ruby-2.4.4-88.fc26
2018-05-29 11:09:55
[SECURITY] Fedora 27 Update: ruby-2.4.4-89.fc27
2018-06-06 12:59:35
freebsd
freebsd
ruby -- multiple vulnerabilities
2018-03-28 00:00:00
f5
f5
K80173446 : Multiple Ruby vulnerabilities
2018-05-08 00:00:00
debian
debian
[SECURITY] [DLA 1359-1] ruby1.8 security update
2018-04-23 09:52:22
[SECURITY] [DLA 1358-1] ruby1.9.1 security update
2018-04-23 09:51:34
[SECURITY] [DSA 4259-1] ruby2.3 security update
2018-07-31 21:40:52
slackware
slackware
[slackware-security] ruby
2018-03-29 22:43:54
mageia
mageia
Updated ruby packages fix security vulnerability
2018-10-26 21:47:14
amazon
amazon
Medium: ruby20, ruby22, ruby23, ruby24
2018-04-04 23:18:00
Medium: ruby
2019-08-23 03:41:00
redhat
redhat
(RHSA-2018:3729) Important: rh-ruby23-ruby security, bug fix, and enhancement update
2018-11-29 09:29:41
(RHSA-2019:2028) Moderate: ruby security update
2019-08-06 07:52:23
centos
centos
ruby, rubygem, rubygems security update
2019-08-30 04:17:17
oraclelinux
oraclelinux
ruby security update
2019-08-13 00:00:00
suse
suse
Security update for ruby-bundled-gems-rpmhelper, ruby2.5 (important)
2019-07-21 00:00:00
apple
apple
About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
2018-07-09 00:00:00
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
68.8%
Related for H1:302997