Universal RCE with Ruby YAML.load (versions > 2.7)

A couple of years ago I wrote a universal YAML.load deserialization RCE gadget based on the work by Luke Jahnke from elttam. This has since been patched and no longer works on Ruby versions after 2.7.2 and Rails 6.1. Fortunately, William Bowling (vakzz) has found a new gadget chain that works on all Ruby versions 2.x - 3.x. His write-up for this is excellent and I highly recommend you give it a read: https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html. As with the previous gadget I wanted to make this exploitable via YAML.load. In this instance I’m not going to go through the whole process of getting to this, since it was almost identical to the process covered in my previous post. ...

Argument injection and getting past shellwords.escape

This is going to be a short write-up about an interesting argument injection I ran into a while ago. There is nothing new here, but it is still worth looking at as argument injection is an oft overlooked attack avenue as everyone is going after the more traditional command injection vulnerabilities. What is argument injection? Very similar to command injection, argument injection occurs when attacker controlled values/text are passed into a shell function without adequate sanitization....

Universal RCE with Ruby YAML.load

Last year Luke Jahnke wrote an excellent blog post on the elttam blog about finding a universal RCE deserialization gadget chain for Ruby 2.x. In the post he discusses the process of finding and eventually exploiting a gadget chain for Marshal.load. I was curious if the same chain could be used with YAML.load. It has been shown before that using YAML.load with user supplied data is bad, but all the posts I could find focuses on Ruby on Rails (RoR). Wouldn’t it be nice to have a gadget chain to use in non-RoR applications? ...

CVE-2017-17405 RCE in Ruby's FTP lib

The FTP library in Ruby did not validate remote filenames and blindly passed these to the kernel.open function. This created a remotely exploitable vulnerability. Since the filenames were supplied by the remote FTP server, it was possible to create a malicious server that could exploit this vulnerability when a vulnerable Ruby client connected and tried to download a file. ...