
Ruby 2.x Universal RCE Deserialization Gadget Chain - fpunit
https://www.elttam.com.au/blog/ruby-deserialization/
======
pentestercrab
For anyone interested in gadget chains for other languages, these Github repos
are quite interesting:

\- Java:
[https://github.com/frohoff/ysoserial](https://github.com/frohoff/ysoserial)

\- .NET:
[https://github.com/pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net)

\- PHP:
[https://github.com/ambionics/phpggc](https://github.com/ambionics/phpggc)

------
burlesona
This is interesting, although not that novel. Marshal deserialization has
always been unsafe, and in > 10 years as a Ruby engineer I’ve never seen it
used in a production system. I would guess that finding a system vulnerable to
this exploit would be a more interesting story than the exploit itself.

~~~
HackAllThings
As a pen tester, I wholeheartedly disagree. It’s probably more common to see
unsafe YAML deserialization, rather than directly deserializing marshaled Ruby
objects, but both are impactful and these types of vulnerabilities do exist.
Just recently I assessed an application that used unsafe serialization to pass
around an object encoded in the value of a cookie. It contained transient data
related to the user’s session (e.g. what page they last visited). Last year I
assessed an application that allowed users to upload YAML files, which would
get parsed and deseralized as Ruby objects. Unfortunately I didn’t have a
universal gadget chain then, so I had to note it as theoretically exploitable
in my report. That’s troublesome because some clients may take it less
seriously.

I’m personally very impressed with this research and I think it does a net
good, demonstrating that deserialization of Ruby objects in any form is unsafe
when you can’t trust the input.

------
pjungwir
I'm trying to interpret what this means. I think it's saying that a previous
result showed that `Marshal.load` on user-supplied input gave an RCE if you
were running Rails (basically, see the 3 conditions under "Previous
Payloads"), but the new result is that `Marshal.load` is _always_ unsafe, with
just the stdlib. Does that sound right to other folks?

~~~
woodruffw
`Marshal.load` was already always unsafe -- what this changes is the
difficulty of writing a malicious payload.

Previously (for Marshal anyways, not sure about pickle), you would need to
know a least a _little_ bit about how the input is being used, so that you
could monkeypatch one of the methods eventually used by it. This makes it
possible to get RCE without any knowledge of the codebase.

------
jwilk
If you wonder how to execute code via git clone:

    
    
      $ git clone --config=core.gitProxy=awk 'git://BEGIN{system("cowsay pwned > \x2fdev\x2ftty")}/'
      Cloning into 'BEGIN{system("cowsay pwned > \x2fdev\x2ftty")}'...
       _______
      < pwned >
       -------
              \   ^__^
               \  (oo)\_______
                  (__)\       )\/\
                      ||----w |
                      ||     ||
      fatal: Could not read from remote repository.
      
      Please make sure you have the correct access rights
      and the repository exists.

~~~
Jenz
Why \x2f (in \x2fdev\x2ftty)?

~~~
jwilk
Only hostname (i.e. the thing between git:// and the next slash) is passed as
an argument to the proxy command, so slashes in the payload had to be escaped.

------
aero_sm1th
The title is kinda misleading. This should mention Payload for vulnerabilities
within the Ruby libs.

~~~
HackAllThings
That is fully captured in the notion of a _universal_ deserialization gadget
chain. However, for those not familiar with the concept of gadgets, yes, I can
see how it might be a bit confusing at first.

------
sribalakumar
The only known way for this to work on a Rails application was setting
"Content-Type:application/xml" and then injecting the gadget chain payload to
the request data like -

<bang type="yaml"> #{gadget payload} </bang>

But this has been fixed in Rails since CVE-2013-0156-
[https://groups.google.com/forum/#!topic/rubyonrails-
security...](https://groups.google.com/forum/#!topic/rubyonrails-
security/61bkgvnSGTQ)

Is this RCE possible on Rails application having fix for CVE-2013-0156 and
using Ruby versions 2 to 2.5 ?

------
Jenz
The "RCE" acronym is only used in the title, what is it?

~~~
cnorthwood
Remote command execution

~~~
Jenz
Aha, thanks!

