Matasano Chargen - Latest Comments in Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

roger — Wed, 27 May 2009 07:47:02 -0000

appears to be fixed with the latest patch versions (1.8, 1.9)

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

filip — Fri, 27 Jun 2008 13:27:11 -0000

Use RE:Trace to hunt it down to the last bit!

http://www.poppopret.org/code.html

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

DeLynn Berry — Thu, 26 Jun 2008 13:11:24 -0000

Has any successfully gotten both of these test to *not* segmentation fault?

Here is a pastie of my efforts: http://pastie.org/222714.

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Jon — Wed, 25 Jun 2008 05:50:17 -0000

Hi, your fixed-width code sections in the blog are too thin for the font size I use. Could you consider adding the magic CSS that will add scrollbars for overflowing fixed-width elements?

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

jf — Wed, 25 Jun 2008 00:07:55 -0000

awesome. ;D

just wait until i go public with my javascript stuff !

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Dominique Brezinski — Tue, 24 Jun 2008 16:57:01 -0000

Well, these issues are not new and have been known about since 2005.

http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ru...

http://www.blackhat.com/presentations/bh-jp-05/...

Fixing the macros (which should be replaced with functions AFAIAC) was not the right approach, which Matz knew, but he did not (nor any other member of core) choose to fix the issues in the 1.8 code. Now it is 2008 and Yao had to rediscover the problems to make something happen. Way to go ruby-core!

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Snagg — Tue, 24 Jun 2008 06:39:43 -0000

-Igal

I guest you should have to wait until Ruby developers create a valid patch. The whole code that manages arrays need a bit of review, while playing with those bugs, I've found another problem, which I reported to security@ruby-lang. So I think the best thing you can do to help Ruby community, is not providing patches but trying to spot other mistakes in the code and report them. IMHO

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Igal Koshevoy — Tue, 24 Jun 2008 03:00:25 -0000

@Thomas Ptacek: That ruby-talk thread I mentioned above is for people that care about Ruby who are actively trying to create a patch to fix these problems. There are at least two very promising patches now available there that need to be reviewed and tested. Maybe you and others can help? Thanks.

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Steve Christey — Tue, 24 Jun 2008 01:28:09 -0000

yawn.

I recognize that I should be committing descriptions including the phrase "context-dependent" to cve.mitre.org instead of expressing the maximum attitude I'm allowed as an allegedly neutral party, but... Ruby is popular. Thus someone's gonna research it, and they're gonna find bugs. It's the circle of strife.

Of course, whatever replaces Ruby as the newest fad won't have any vulnerabilities at all, so we can all rest easy after this whole thing blows over.

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

ssss — Mon, 23 Jun 2008 11:35:19 -0000

Aure-

One more f in there and it will crash.

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Thomas Ptacek — Mon, 23 Jun 2008 11:29:44 -0000

Aure --- what version of Ruby? They aren't Mac-only flaws.

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Thomas Ptacek — Mon, 23 Jun 2008 11:28:22 -0000

Igal --- really just not at all interested in discussing Zed Shaw's blog post on ruby-forum.com. I'm sorry you're having your time wasted like that.

If you see anything interesting here, you are welcome to cross-post it.

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Igal Koshevoy — Mon, 23 Jun 2008 10:51:10 -0000

It's great to see some code here that can help assert the errors and their solutions.

Can folks on this blog thread please join us in a discussion of this issue at the ruby-talk mailing list or its web-accessible thread at http://www.ruby-forum.com/topic/157034 ? I'm trying to get everyone that's been working on this talking in one place so we can best coordinate our efforts to resolve this.

Thank you.

-igal

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Aure — Mon, 23 Jun 2008 09:37:56 -0000

I've tried both ways to hang ruby and it didn't work on my PC. First one works as I expected:
irb(main):001:0> ary = []
=> []
irb(main):002:0> ary[0x7ffffff] = "A"
=> "A"
irb(main):003:0> ary[0x7ffffff] = "A"
=> "A"
irb(main):004:0> ary[0x7ffffff]
=> "A"

The second one, started to trash (I expected it because of the size of the string) and I aborted it.
irb(main):006:0> while 1;str<<str;puts str.size;end
131072
262144
524288
1048576
2097152
4194304
8388608
16777216
33554432
67108864
134217728
268435456
536870912
IRB::Abort: abort then interrupt!!
from /usr/lib/ruby/1.8/irb.rb:81:in `irb_abort'
from /usr/lib/ruby/1.8/irb.rb:243:in `signal_handle'
from /usr/lib/ruby/1.8/irb.rb:66:in `start'
from /usr/lib/ruby/1.8/irb.rb:66:in `call'
from /usr/lib/ruby/1.8/irb.rb:66:in `start'
from (irb):6:in `call'
from (irb):6
from :0

And I'm using an vulnerable version.
$ ruby --version
ruby 1.8.6 (2007-09-24 patchlevel 111) [i486-linux]

On ubuntu hardy.

Is this Mac only?
If it is, the impact is much lower (production servers tend to be Linux for Ruby web applications).

Aureliano.

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

spatulasnout — Mon, 23 Jun 2008 01:46:44 -0000

Updated to latest subversion ruby_1_8_6 branch, revision 17546. (patchlevel 231)

Still getting a seg fault on:

ruby -ve 'str = "A"*(2**16) ; loop{ str << str ; puts str.size }'
ruby 1.8.6 (2008-06-22 patchlevel 231) [i686-linux]
131072
262144
-e:1: [BUG] Segmentation fault

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

brian — Sun, 22 Jun 2008 06:12:20 -0000

Using

defaults write com.apple.CrashReporter DialogType developer

I get for ary[0x7fffffff] = "A":

EXC_BAD_ACCESS (0x0001)
KERN_PROTECTION_FAILURE (0x0002) at 0x00705000

Thread 0 Crashed:
0 rb_mem_clear + 16 (array.c:30)
1 rb_ary_store + 212 (array.c:377)
2 rb_ary_aset + 412 (array.c:1078)
3 rb_call0 + 1196 (eval.c:5815)
4 rb_call + 612 (eval.c:6063)
5 rb_eval + 6804 (eval.c:3430)
6 eval + 1068 (eval.c:6458)
7 rb_f_eval + 468 (eval.c:6576)
8 rb_call0 + 1196 (eval.c:5815)
9 rb_call + 612 (eval.c:6063)

Just my two cents.

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Snagg — Sun, 22 Jun 2008 05:00:56 -0000

Uhm done some test last night. Seems like in rb_ary_store (), before writing to the array the memory is zeroed, resulting in a crash. Still there might be other entry points next candidate: rb_ary_times().

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Thomas Ptacek — Sun, 22 Jun 2008 03:46:11 -0000

The test case for Bignum (note to Zed: this was fixed in a commit labelled "check for integer overflow") is easy:

i = 1 << 0x1fffffff; j = i; true
j = j << 0x1fffffff; true
j = j << 0x1fffffff; true
j = j << 0x1fffffff; true
j = j << 0x1fffffff; true
j = j << 0x1fffffff; true
j = j << 0x1fffffff; true
j = j << 0x1fffffff; true
j

Break in rb_big2str, and land here:

677 while (i && j) {
(gdb) print i
$16 = 134217728
(gdb) print j
$17 = 2

("i" is the size of the bignum, "j" is the size of the target string).

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Nobu Nakada — Sat, 21 Jun 2008 21:21:30 -0000

Very sorry, fixed it.

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Drew Yao — Sat, 21 Jun 2008 15:36:06 -0000

Re: the crash on 1.8.7-p22, I have forwarded it on to the Ruby security team.

The test case does not cause a crash in the patched version of 1.8.6 that will be going out in a Mac OS X update soon. The patch that Ruby ended up with was not the same as the one that I sent them.

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Rhys — Sat, 21 Jun 2008 11:11:19 -0000

@tj

Was it just the string operation that still caused the segfault on 1.8.7-p22?

I'd say IndexError is the correct(er) error to throw for the second issue - array[0x7fffffff] assignment? It's a different result to the segfault it caused on my ruby 1.8.6 (2007-09-24 patchlevel 111).

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

mac — Sat, 21 Jun 2008 09:44:01 -0000

I guess I expected this after watching jf's talk "Horizon 3: smashing the stack for profit (advances in attacking interpreted languages)" at this years PH-Neutral.

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

Eric Monti — Fri, 20 Jun 2008 22:45:31 -0000

For the record... I love Ruby. I blame Drew!

Re: Updates on Drew Yao’s Terrible Ruby Vulnerabilities

tj — Fri, 20 Jun 2008 21:57:51 -0000

Pathed to 1.8.7-p22 and the string bug outlined above still causes the segfault:
irb(main):005:0> str = "A"*(2**16) ;while 1; str < ary = []; ary[0x7fffffff] = "A"
IndexError: index 2147483647 too big