oss-sec mailing list archives
Local privileges escalation in rubygem open-uri-cached
From: Michael Scherer <misc () zarb org>
Date: Tue, 5 May 2015 19:27:42 +0200
Hi, open-uri-cached, a rubygem that will cache downloaded data when using open-uri, is suceptible to a local attack due to usage of YAML in a insecure way, and using a predictable directory name in /tmp for getting that data without verification, see https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L39 https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L25 and https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L115 So someone could create ahead of time a directory /tmp/openuri-$someuid/, precreate directory for the host to contact and with proper permissions, wait until a meta file is created, and replace it with one containing ruby code to be executed, as it doesn't use safe loader for yaml ( http://www.benjaminfleischer.com/2013/03/20/yaml-and-security-in-ruby/ ). The gem is pulled by various projects on github, the likely most important being a redmine plugin : https://github.com/backlogs/redmine_backlogs Could a CVE be assigned ? I will take care of opening a issue on github for that after : https://github.com/tigris/open-uri-cached -- Michael Scherer
Current thread:
- Local privileges escalation in rubygem open-uri-cached Michael Scherer (May 05)
- Re: Local privileges escalation in rubygem open-uri-cached cve-assign (May 06)