Talos IntelligenceTALOS-2016-0031Ruby TclTkIp ip_cancel_eval Type Confusion Vulnerabilities
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.08 Low
EPSS
Percentile
94.3%
Talos Vulnerability Report
TALOS-2016-0031
Ruby TclTkIp ip_cancel_eval Type Confusion Vulnerabilities
June 14, 2016
CVE Number
CVE-2016-2337
DESCRIPTION
Type Confusion exists in _cancel_eval Ruby’s TclTkIp class method. Attacker passing different type of object than String as “retval” argument can cause arbitrary code execution.
TESTED VERSIONS
Ruby 2.3.0 dev Ruby 2.2.2 Tcl/Tk8.6 or later
PRODUCT URLs
DETAILS
Vulnerable code:
---------------------------------------------- code
---------------------------------------------
Line 7761 static VALUE
Line 7762 ip_cancel_eval(argc, argv, self)
Line 7763 int argc;
Line 7764 VALUE *argv;
Line 7765 VALUE self;
Line 7766 {
Line 7767 VALUE retval;
Line 7768
Line 7769 if (rb_scan_args(argc, argv, "01", &retval) == 0) {
Line 7770 retval = Qnil;
Line 7771 }
Line 7772 if (ip_cancel_eval_core(get_ip(self)->ip, retval, 0) ==
TCL_OK) {
Line 7773 return Qtrue;
Line 7774 } else {
Line 7775 return Qfalse;
Line 7776 }
Line 7777 }
Line 7736 static int
Line 7737 ip_cancel_eval_core(interp, msg, flag)
Line 7738 Tcl_Interp *interp;
Line 7739 VALUE msg;
Line 7740 int flag;
Line 7741 {
Line 7742 #if TCL_MAJOR_VERSION < 8 || (TCL_MAJOR_VERSION == 8 &&
TCL_MINOR_VERSION < 6)
Line 7743 rb_raise(rb_eNotImpError,
Line 7744 "cancel_eval is supported Tcl/Tk8.6 or
later.");
Line 7745
Line 7746 UNREACHABLE;
Line 7747 #else
Line 7748 Tcl_Obj *msg_obj;
Line 7749
Line 7750 if (NIL_P(msg)) {
Line 7751 msg_obj = NULL;
Line 7752 } else {
Line 7753 msg_obj = Tcl_NewStringObj(RSTRING_PTR(msg),
RSTRING_LEN(msg));
Line 7754 Tcl_IncrRefCount(msg_obj);
Line 7755 }
Line 7756
Line 7757 return Tcl_CancelEval(interp, msg_obj, 0, flag);
Line 7758 #endif
Line 7759 }
---------------------------------------------- code
---------------------------------------------
In line 7769 “_cancel_eval” method argument is parse out into “retval” variable. Next this variable is passed to “ip_cancel_eval_core” function (line 7772). In line 7753 we can see that our “retval” variable which in this function is passed as “msg” argument is treated as String object.Passing object different than String we will cause type confusion vulnerability in this line.
POC
---------------------------------- PoC test.rb ----------------------------------------
require 'tk'
t = TclTkIp.new()
t._cancel_eval(0x11223344)
---------------------------------- PoC test.rb ----------------------------------------
TIMELINE
2015-06-18 - Initial Discovery
2015-06-30 - Vendor Notification
2016—06-14 - Public Disclosure
Credit
Discovered by Marcin ‘Icewall’ Noga of Cisco Talos
Vulnerability Reports Next Report
TALOS-2016-0032
Previous Report
TALOS-2016-0029
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.08 Low
EPSS
Percentile
94.3%