Bug 1793683 (CVE-2019-16255) - CVE-2019-16255 ruby: Code injection via comment argument of Shell#test / Shell#[]
Summary: CVE-2019-16255 ruby: Code injection via comment argument of Shell#test / Shel...
Keywords:
Status: NEW
Alias: CVE-2019-16255
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1793685
TreeView+ depends on / blocked
 
Reported: 2020-01-21 19:57 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-01-24 21:26 UTC (History)
11 users (show)

Fixed In Version: ruby 2.6.5, ruby 2.5.7, ruby 2.4.8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-01-21 19:57:11 UTC
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

Reference:
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/

Comment 2 Tomas Hoger 2020-01-24 13:36:49 UTC
HackerOne report:

https://hackerone.com/reports/327512

(Note that the Severity noted in the report is "None (0.0)".  It also took upstream 15+ months to create patch since the initial acknowledgement of the report.)

Upstream commit in the Ruby git:

https://github.com/ruby/ruby/commit/d6adc68dc9c74a33b3ca012af171e2d59f0dea10

Upstream commit in the Ruby Shell git:

https://github.com/ruby/shell/commit/5d8223f9b4695121ec1ba2e1eabca414f33c6252

Comment 4 Tomas Hoger 2020-01-24 20:39:19 UTC
This flaw exists in the Shell module in the Ruby standard library, specifically in the test() / [] method (the two names are aliases for the same method).  This method accepts two or three arguments - command and one or two file names.  However, this method is rather poorly documented, with documentation not explaining what the command argument is supposed to be:

https://ruby-doc.org/stdlib-2.6.5/libdoc/shell/rdoc/Shell/CommandProcessor.html#method-i-test

"Tests if the given command exists in file1, or optionally file2."

The Shell#test() method is a wrapper around FileTest, which implements various file-related tests, such as checks for file existence and type, file permissions, or size:

https://ruby-doc.org/core-2.6.5/FileTest.html

The command passed to the Shell#test is supposed to be a FileTest's method to be called.  The Shell#test can be used as:

```
sh = Shell.new
# does /etc exist?
sh.test('exists?', '/etc/')
# is /etc a regular file?
sh.test('file?', '/etc/')
# is /etc a directory?
sh.test('directory?', '/etc/')
# what is /etc's size?
sh.test('size', '/etc/')
```

The problem tracked via this CVE is that the Shell#test implementation allowed calling not only methods directly implemented by the FileTest, but also methods inherited from the parent classes.  These methods may be used to achieve arbitrary code execution.

However, this problem can only have security implications in situations when untrusted input is directly passed to Shell#test as its command argument.  Additionally, untrusted file name value is also required to provide the right payload to the method called via the command argument.  Such use cases seem rather unlikely and may also indicate another problem in the Ruby application.  Upstream advisory notes:

"""
Note that passing untrusted data to methods of Shell is dangerous in general. Users must never do it. However, we treat this particular case as a vulnerability because the purpose of Shell#[] and Shell#test is considered file testing.
"""

This problem would affect very few applications, if any.  The original HackerOne report does not indicate any real-world application exposing this problem.

Comment 5 Tomas Hoger 2020-01-24 20:43:54 UTC
Lowering impact rating based on the information above - while this in theory has high impact (arbitrary code execution), it's rather unlikely to be a problem in any relevant real-world use case.


Note You need to log in before you can comment on or make changes to this bug.