Hacker News new | comments | show | ask | jobs | submit login

I searched a bit and found patches that I think help to explain what was going on and how severe things worse. I'd appreciate if anyone could confirm I found the correct stuff and if anyone could help explain what happened (in particular, I don't understand why the timing attack bug would lead to a remote code execution)

-----------

The first bug seems to be in some function that checks if you can find a file in a folder. Currently the funtion counts the number of ".."s to make sure you don't go out of the folder you started the search in (emitting an error if the depth becomes less than 0) however, this does not take into account the possibility of one of the intermediate folders in the pathbeing a symlink, meaning that the `./symlink/../bar` is not the same as `./bar` and therefore ruining the logic. The fix seems to be a hack to transform `./xxx/../b`s into `./b` by hand, without passing it to the fylesystem.

https://github.com/rack/rack/commit/6f237e4c9fab649d37504825...

The second bug seems to have to do with `==` not being safe and them having to do a "secure compare":

https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d6...

edit: apparently the problem here is the time that `==` takes to run depends on the inputs. This means an attacker can do multiple carefully crafted requests and use this timing information to guess your secret key stuff. I still don't know why guessing the secret stuff would lead to remote code execution though.




The second one is a timing issue. You need to have an equality method that takes an equal amount of time on success or failure.

Heres a good read on timing attacks in general: http://codahale.com/a-lesson-in-timing-attacks/


"In short, a timing attack uses statistical analysis of how long it takes your application to do something in order to learn something about the data it’s operating on" -- great read.. my mind is blown for today...


Counting .. seems like a terrible way to solve this. Why not do a prefix match between the root of the public folder and File.expand_path(requested_path)?


I agree this seems really stupid. This is like 1998 era stuff. Put the path together, canonicalize it, then decide if you like it or not.


Your analysis of the first bug is correct.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: