DoS Vulnerability in Ruby
Posted by michael June 10, 2009 @ 12:01 AM
A Denial of Service vulnerability has been found and fixed in ruby. The vulnerability is due to the BigDecimal method mishandling certain large input values and can cause the interpreter to crash. This could be used by an attacker to crash any ruby program which creates BigDecimal objects based on user input, including almost every Rails application. This vulnerability has been assigned the CVE name CVE-2009-1904.
For upgrade instructions and information on affected ruby versions please see the ruby security team’s announcement.
All users are advised to upgrade their ruby installations immediately to avoid this problem. In the event that you are unable to upgrade your ruby installation, or are using an out-of-maintenance ruby version, there is a workaround available on github. You can either install it as a gem, or simply copy the file bigdecimal-segfault-fix.rb into config/initializers of your rails application.
NOTE: this workaround breaks valid formats supported by BigDecimal, users should not rely on this fix for an extended period of time but should instead immediately begin planning a migration to a supported ruby release.
The upcoming Rails 2.3.3 release will include some minor mitigating changes to reduce some potential attack vectors for this vulnerability. However these mitigations will not close every potential method of attack and users should still upgrade their ruby installation as soon as possible.
Thanks to Jose Fernández for reporting the vulnerability to the rails security team, and to the ruby security team for confirming the nature of the bug and handling the release process.
Thank you for the workaround. It looks simple enough to protect some applications while I can upgrade Ruby.
what would be the name of the gem to install for this? Sorry for the newb question.
The installation instructions are documented on the github page.
Do you mean the BigDecimal class?
DoS! Oh noes! Ruby has a ton.. have a free one on the house. Works on 1.8 and 1.9. Feel free to freak out about it and get a CVE.
ruby-1.9$ ./ruby -e ‘[].pack(”@#{2**31}”)’ -e:1: [BUG] Segmentation fault ruby 1.9.2dev (2009-06-10 trunk 23660) [i686-linux]
@rmx: Your example code does not result in a crash on REE 20090610.
@rmx: Sure, that’ll segfault, but you’ll have to produce a means to exploit that via a public webserver before I’ll be convinced that it’s a DoS vector.
and what is with the win Version?
Is the project dead? since last year there are not updates.
sensei: the vulnerability is in the BigDecimal method, check the workaround code. I was confused too.
Beware the ruby version recommended here will yield true on the
BigDecimal(“10.03”).to_f == 10.3
expression. This will effectively break a long list of rails helpers. Add this to your rails project to fix:
if BigDecimal(“10.03”).to_f != 10.03 class BigDecimal def to_f self.to_s.to_f end end end
Or wait till they release a proper one … more haste less speed.
My favorite segfault is in Ruby 1.8.7 patchlevel 72:
loop &:p
I used it to crash the @rubx twitter bot.
I really enjoy Ruby 1.8.7 myself. I highly recommend that version.
@rmx:
I don’t know what you’re talking about.
I just tried your example on Ruby 1.8.6 and 1.9.1 and it didn’t break anything.
Folks, don’t go feeding the trolls ;)
http://weblog.rubyonrails.org/2009/6/12/community-highlights-ruby-heroes/comments/25419#comment-25419
have you still distressed yourself about the right products filling at the price?Just try www.dobizworld.com to make your successful career
I’m just curious… How would the DoS attack be acheaved on a rails app? Is there some way to submit something in say a form that would cause a segment fault?