Github: Understanding Unsafe Deserialization Vulnerabilities in Ruby Projects
The post Github: Understanding Unsafe Deserialization Vulnerabilities in Ruby Projects appeared on BitcoinEthereumNews.com.
Unsafe deserialization vulnerabilities in Ruby projects can enable attackers to execute arbitrary commands on remote servers by sending JSON data. According to The GitHub Blog, these vulnerabilities occur when the deserialization process allows the instantiation of arbitrary classes or class-like structures specified in the serialized data. How Unsafe Deserialization Works In Ruby, unsafe deserialization vulnerabilities are often exploited through libraries that support polymorphism, such as the Oj JSON serialization library. Attackers can chain multiple classes together to execute code on the system under attack. These classes, known as gadgets, are combined into a gadget chain to form a larger exploit. For instance, when using the Oj library for deserializing JSON, a project can be vulnerable if it includes a construct like: data = Oj.load(untrusted_json) The Oj library, by default, supports the instantiation of classes specified in JSON, which can be disabled by using Oj.safe_load instead. To demonstrate how this works, consider a class named SimpleClass with a hash method that executes a command: class SimpleClass def initialize(cmd) @cmd = cmd end def hash system(@cmd) end end A JSON payload to instantiate this class might look like: { “^o”: “SimpleClass”, “cmd”: “open -a calculator” } Loading this JSON with Oj.load would not trigger the hash method directly, but placing the class inside a hash as the key can trigger the method: Oj.load(json_payload) This would execute the command specified in the @cmd member variable. Building a Detection Gadget To detect unsafe deserialization vulnerabilities, one can build a detection gadget chain. For example, a class like Gem::Requirement can be used, which has a hash method that calls to_s on an internal member. By creating a suitable JSON payload, one can trigger this chain to detect vulnerabilities. The detection gadget can also be extended to a full-fledged remote code execution (RCE) chain. This involves…
Filed under: News - @ June 23, 2024 2:20 am