security

Last year Luke Jahnke wrote an excellent blog post on the elttam blog about finding a universal RCE deserialization gadget chain for Ruby 2.x. In the post he discusses the process of finding and eventually exploiting a gadget chain for Marshal.load. I was curious if the same chain could be used with YAML.load. It has been shown before that using YAML.load with user supplied data is bad, but all the posts I could find focuses on Ruby on Rails (RoR). Wouldn’t it be nice to have a gadget chain to use in non-RoR applications? ...

It has been a while since the Git vulnerability was announced. The major public repository providers have long since been preventing hosting repositories serving CVE-2018-11235. ...

Shortly after the recent Git vulnerability was announced, a security advisory for Kubernetes was published. ...

Remote code execution through malicious submodules.

The FTP library in Ruby did not validate remote filenames and blindly passed these to the kernel.open function. This created a remotely exploitable vulnerability. Since the filenames were supplied by the remote FTP server, it was possible to create a malicious server that could exploit this vulnerability when a vulnerable Ruby client connected and tried to download a file. ...