oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Local privileges escalation in rubygem open-uri-cached

From: Michael Scherer <misc () zarb org>
Date: Tue, 5 May 2015 19:27:42 +0200
Hi,

open-uri-cached, a rubygem that will cache downloaded data when using open-uri, is 
suceptible to a local attack due to usage of YAML in a insecure way, and using
a predictable directory name in /tmp for getting that data without verification, see
https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L39
https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L25
and https://github.com/tigris/open-uri-cached/blob/master/lib/open-uri/cached.rb#L115

So someone could create ahead of time a directory /tmp/openuri-$someuid/, precreate directory
for the host to contact and with proper permissions, wait until a meta file is created, and
replace it with one containing ruby code to be executed, as it doesn't use safe loader for yaml
( http://www.benjaminfleischer.com/2013/03/20/yaml-and-security-in-ruby/ ).

The gem is pulled by various projects on github, the likely most important being
a redmine plugin : https://github.com/backlogs/redmine_backlogs 

Could a CVE be assigned ? I will take care of opening a issue on github  for that
after :
https://github.com/tigris/open-uri-cached

-- 
Michael Scherer
Previous By Date Next
Previous By Thread Next

Current thread: