SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Ruby Vendors:   Matsumoto, Yukihiro
Ruby XMLRPC Security Control Flaw May Let Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1014253
SecurityTracker URL:  http://securitytracker.com/id/1014253
CVE Reference:   CAN-2005-1992   (Links to External Site)
Date:  Jun 21 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.8.2
Description:   A vulnerability was reported in Ruby. A remote user may be able to execute arbitrary commands on the target system.

A remote user may be able to exploit a flaw in the public_instance_methods implementation to bypass certain XMLRPC add_handler() security controls. As a result, a remote user may be able to execute arbitrary commands within the XMLRPC server.

The flaw resides in 'xmlrpc/utils.rb'.

Nobuhiro IMAI reported this vulnerability.
Impact:   A remote user may be able to execute arbitrary commands on the target XMLRPC server.
Solution:   A fix is available via CVS.
Vendor URL:  www.ruby-lang.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 5 2005 (Red Hat Issues Fix) Ruby XMLRPC Security Control Flaw May Let Remote Users Execute Arbitrary Commands   (bugzilla@redhat.com)
Red Hat has released a fix.


 Source Message Contents
Date:  Fri, 17 Jun 2005 19:41:03 +0900
Subject:  arbitrary command execution on XMLRPC server


----Security_Multipart(Fri_Jun_17_19_39_46_2005_597)--
Content-Type: Multipart/Signed; protocol="application/pgp-signature";
 micalg=pgp-sha1;
 boundary="--Security_Multipart(Fri_Jun_17_19_39_46_2005_597)--"

----Security_Multipart(Fri_Jun_17_19_39_46_2005_597)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hello,

I found that the default value modification on
Module#public_instance_methods (false -> true) breaks
s.add_handler(XMLRPC::iPIMethods("sample"), MyHandler.new) style
security protection. I guess the following patch will fix this
problem:


--- xmlrpc/utils.rb~    2004-11-16 08:25:58.000000000 +0900
+++ xmlrpc/utils.rb     2005-06-17 11:14:26.000000000 +0900
@@ -131,7 +131,7 @@

     def get_methods(obj, delim=".")
       prefix = @prefix + delim
-      obj.class.public_instance_methods.collect { |name|
+      obj.class.public_instance_methods(false).collect { |name|
         [prefix + name, obj.method(name).to_proc, nil, nil]
       }
     end


Regards,
--
Nobuhiro IMAI <nov yo.rim.or.jp>
Key fingerprint = F39E D552 545D 7C64 D690  F644 5A15 746C BD8E 7106

----Security_Multipart(Fri_Jun_17_19_39_46_2005_597)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBCsqiPWhV0bL2OcQYRAqSMAJ0T5rcVWMBTQY3MRH3Rsh/zO1GaywCeNyQK
bOhx0qmcsPK86+f72cfyujI=
=6ahV
-----END PGP SIGNATURE-----

----Security_Multipart(Fri_Jun_17_19_39_46_2005_597)----
----Security_Multipart(Fri_Jun_17_19_39_46_2005_597)----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC