CVE-2017-17405 RCE in Ruby's FTP lib

The FTP library in Ruby did not validate remote filenames and blindly passed these to the kernel.open function. This created a remotely exploitable vulnerability. Since the filenames were supplied by the remote FTP server, it was possible to create a malicious server that could exploit this vulnerability when a vulnerable Ruby client connected and tried to download a file.

This was assigned CVE-2017-17405 and patched by the Ruby team on 14 December 2017.

Full Write-up

I did a write-up of this vulnerability on the Heroku blog. The full post is available here: https://blog.heroku.com/identifying-ruby-ftp-cve

Vulnerable Versions

The following versions of Ruby are all affected by this vulnerability:

  • Ruby 2.2 series: 2.2.8 and earlier
  • Ruby 2.3 series: 2.3.5 and earlier
  • Ruby 2.4 series: 2.4.2 and earlier
  • Ruby 2.5 series: 2.5.0-preview1
  • prior to trunk revision r61242