-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OVE-20170303-0004 rbenv Ruby specification directory traversal #977
Comments
A copy of the above advisory, with minimal additional explanatory information, is now available at https://github.com/justinsteven/advisories/blob/master/2017_rbenv_ruby_version_directory_traversal.md |
Thanks for taking the time to report this in such an comprehensive manner. The |
@mislav sounds good to me from a security POV - I won't claim to know enough about Ruby-land to know the |
Though the case of |
The assigned CVE is CVE-2017-1000047 (just to make it simpler to find) |
@mislav any thoughts on this? I (still) don't know enough about Ruby-land to know if prohibiting |
@justinsteven I also don't know, but I don't want to risk it if we don't need to cut support for this feature. Would it be sufficient to disallow the string I'm not sure how easy that is to enforce; if people find their way around that using string hacks then we're back to square one 🤔 |
I had a few thoughts in the original report. Basically, if we ban the patterns |
The other thing that could be explored is using |
A malicious `.ruby-version` file in the current directory could inject `../../../` into the version string and trigger execution of binaries outside of `RBENV_ROOT/versions/`. Fixes #977 OVE-20170303-0004
@justinsteven Thank you for your thoughts. I have opened a PR and would appreciate your review! |
Thanks again, @justinsteven for the report. While preparing a pull from rbenv upstream into nodenv, I realized the current fix (#1156) would break a very common use case of version subdirectories for nodenv: Thoughts on reverting to the originally proposed bans on |
@jasonkarns Thanks for bringing this to my attention. Rbenv never had explicit support for subdirectories in version names, therefore there is no functionality I'm interested in restoring just so that it could serve nodenv's purposes. However, I'd be open to accepting a PR that adds the version subdirectory functionality if it:
|
A malicious `.ruby-version` file in the current directory could inject `../../../` into the version string and trigger execution of binaries outside of `RBENV_ROOT/versions/`. Fixes rbenv#977 OVE-20170303-0004
rbenv removed support for directory traversal `..` as well as path segments. However, nodenv has a valid use-case for path segments: the lts alias names. This change keeps the `..` pattern blocked, while allowing forward slashes in the version name. see: rbenv/rbenv#977 (comment)
A malicious `.ruby-version` file in the current directory could inject `../../../` into the version string and trigger execution of binaries outside of `RBENV_ROOT/versions/`. Fixes rbenv#977 OVE-20170303-0004
Hi rbenv,
I've found what I believe to be a very low-risk security issue affecting rbenv. I will be publishing the following advisory imminently. I usually back-channel security issues to projects, but I figure this is low enough of a risk to post it publicly. I can only imagine scenarios in which a local user could attack another local user in a situation requiring a high level of user interaction on behalf of the victim user.
I think the following patch would be appropriate, but at the same time thought I'd leave it to more knowledgable folks to decide the best place and way to protect against this issue in a way that wont break peoples use of things like
~/.rbenv/version
(e.g. someone might intentionally have put directory traversal sequences in that file to use a Ruby outside of their home directory)I shall leave it in your capable hands. Thanks!
CVE-2017-TBA rbenv Ruby specification directory traversal
When executing Ruby or a Ruby script, rbenv reads a file named
.ruby-version
to determine the version of Ruby interpreter to execute. It will walk up the
directory tree until it finds such a file, or until it reaches
/
. If it doesnot find such a file, it repeats the process starting from
$PWD
.Documentation regarding this process is available at
https://github.com/rbenv/rbenv/blob/master/README.md#choosing-the-ruby-version
Once a Ruby version has been identified,
~/.rbenv/versions/${VERSION}/bin/ruby
is used to provide Ruby.The Ruby version specified in
.ruby-version
may contain path traversalsequences, making it possible to specify that a
ruby
binary outside of theuser's home directory should be used to provide Ruby.
This is exploitable against local users in the following cases:
Where a user executes a trustworthy Ruby script that is in a directory where
the first
.ruby-version
encountered while walking upwards from thedirectory to the root directory is attacker-controlled. For example, an
attacker may plant
/tmp/.ruby-version
to exploit a user who is executing/tmp/foo/bar/fizzbuzz.rb
Where a user executes a trustworthy Ruby script while their
$PWD
is adirectory where the first
.ruby-version
encountered while walking upwardsfrom the directory to the root directory is attacker-controlled. For example,
an attacker may plant
/tmp/.ruby-version
to exploit a user who is executinga Ruby script while they are
cd
'd to/tmp/fizz/buzz/
These attack scenarios are considered by the author to be highly unusual and
requires a high level of user interaction (executing Ruby scripts from, or
while
cd
'd to, a world-writable directory or a descendent thereof). Thisissue is hence deemed to be low-risk.
POC
Exploit a user running a Ruby script that is within
/tmp
Create an innocent script:
Set the trap as
nobody
:Trigger the trap by executing the trustworthy script as
justin
:Exploit a user running a Ruby script while their
$PWD
is within/tmp
Create an innocent script within
~
:cd
to an empty directory within/tmp
:Don't bother setting the trap as
nobody
- the trap from the previous POC willwork just fine.
Trigger the trap by executing the trustworthy script as
justin
:The text was updated successfully, but these errors were encountered: