CAPEC |
-
Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
-
Directory Traversal
An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
-
File System Function Injection, Content Based
An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
-
Using Slashes and URL Encoding Combined to Bypass Validation Logic
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
-
Manipulating Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
-
Using Escaped Slashes in Alternate Encoding
This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
-
Using Slashes in Alternate Encoding
This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
|
nessus
via4
|
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3621-1.NASL | description | It was discovered that Ruby incorrectly handled certain inputs. An
attacker could possibly use this to access sensitive information.
(CVE-2018-1000073)
It was discovered that Ruby incorrectly handled certain files. An
attacker could possibly use this to execute arbitrary code.
(CVE-2018-1000074)
It was discovered that Ruby incorrectly handled certain files. An
attacker could possibly use this to cause a denial of service.
(CVE-2018-1000075)
It was discovered that Ruby incorrectly handled certain crypto
signatures. An attacker could possibly use this to execute arbitrary
code. (CVE-2018-1000076)
It was discovered that Ruby incorrectly handled certain inputs. An
attacker could possibly use this to execute arbitrary code.
(CVE-2018-1000077, CVE-2018-1000078, CVE-2018-1000079).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 108879 | published | 2018-04-06 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=108879 | title | Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities (USN-3621-1) |
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3621-2.NASL | description | USN-3621-1 fixed vulnerabilities in Ruby. The update caused an issue
due to an incomplete patch for CVE-2018-1000074. This update reverts
the problematic patch pending further investigation.
We apologize for the inconvenience.
Original advisory details :
It was discovered that Ruby incorrectly handled certain inputs. An
attacker could possibly use this to access sensitive information.
(CVE-2018-1000073)
It was discovered that Ruby incorrectly handled certain
files. An attacker could possibly use this to execute
arbitrary code. (CVE-2018-1000074)
It was discovered that Ruby incorrectly handled certain
files. An attacker could possibly use this to cause a denial
of service. (CVE-2018-1000075)
It was discovered that Ruby incorrectly handled certain
crypto signatures. An attacker could possibly use this to
execute arbitrary code. (CVE-2018-1000076)
It was discovered that Ruby incorrectly handled certain
inputs. An attacker could possibly use this to execute
arbitrary code. (CVE-2018-1000077, CVE-2018-1000078,
CVE-2018-1000079).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 109058 | published | 2018-04-16 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=109058 | title | Ubuntu 14.04 LTS : ruby1.9.1, ruby2.0 regression (USN-3621-2) |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DLA-1421.NASL | description | Multiple vulnerabilities were found in the interpreter for the Ruby
language. The Common Vulnerabilities and Exposures project identifies
the following issues :
CVE-2015-9096
SMTP command injection in Net::SMTP via CRLF sequences in a RCPT TO or
MAIL FROM command.
CVE-2016-2339
Exploitable heap overflow in Fiddle::Function.new.
CVE-2016-7798
Incorrect handling of initialization vector in the GCM mode in the
OpenSSL extension.
CVE-2017-0898
Buffer underrun vulnerability in Kernel.sprintf.
CVE-2017-0899
ANSI escape sequence vulnerability in RubyGems.
CVE-2017-0900
DoS vulnerability in the RubyGems query command.
CVE-2017-0901
gem installer allowed a malicious gem to overwrite arbitrary files.
CVE-2017-0902
RubyGems DNS request hijacking vulnerability.
CVE-2017-0903
Max Justicz reported that RubyGems is prone to an unsafe object
deserialization vulnerability. When parsed by an application which
processes gems, a specially crafted YAML formatted gem specification
can lead to remote code execution.
CVE-2017-10784
Yusuke Endoh discovered an escape sequence injection vulnerability in
the Basic authentication of WEBrick. An attacker can take advantage of
this flaw to inject malicious escape sequences to the WEBrick log and
potentially execute control characters on the victim's terminal
emulator when reading logs.
CVE-2017-14033
asac reported a buffer underrun vulnerability in the OpenSSL
extension. A remote attacker could take advantage of this flaw to
cause the Ruby interpreter to crash leading to a denial of service.
CVE-2017-14064
Heap memory disclosure in the JSON library.
CVE-2017-17405
A command injection vulnerability in Net::FTP might allow a malicious
FTP server to execute arbitrary commands.
CVE-2017-17742
Aaron Patterson reported that WEBrick bundled with Ruby was vulnerable
to an HTTP response splitting vulnerability. It was possible for an
attacker to inject fake HTTP responses if a script accepted an
external input and output it without modifications.
CVE-2017-17790
A command injection vulnerability in lib/resolv.rb's lazy_initialze
might allow a command injection attack. However untrusted input to
this function is rather unlikely.
CVE-2018-6914
ooooooo_q discovered a directory traversal vulnerability in the
Dir.mktmpdir method in the tmpdir library. It made it possible for
attackers to create arbitrary directories or files via a .. (dot dot)
in the prefix argument.
CVE-2018-8777
Eric Wong reported an out-of-memory DoS vulnerability related to a
large request in WEBrick bundled with Ruby.
CVE-2018-8778
aerodudrizzt found a buffer under-read vulnerability in the Ruby
String#unpack method. If a big number was passed with the specifier @,
the number was treated as a negative value, and an out-of-buffer read
occurred. Attackers could read data on heaps if an script accepts an
external input as the argument of String#unpack.
CVE-2018-8779
ooooooo_q reported that the UNIXServer.open and UNIXSocket.open
methods of the socket library bundled with Ruby did not check for NUL
bytes in the path argument. The lack of check made the methods
vulnerable to unintentional socket creation and unintentional socket
access.
CVE-2018-8780
ooooooo_q discovered an unintentional directory traversal in some
methods in Dir, by the lack of checking for NUL bytes in their
parameter.
CVE-2018-1000075
A negative size vulnerability in ruby gem package tar header that
could cause an infinite loop.
CVE-2018-1000076
RubyGems package improperly verifies cryptographic signatures. A
mis-signed gem could be installed if the tarball contains multiple gem
signatures.
CVE-2018-1000077
An improper input validation vulnerability in RubyGems specification
homepage attribute could allow malicious gem to set an invalid
homepage URL.
CVE-2018-1000078
Cross Site Scripting (XSS) vulnerability in gem server display of
homepage attribute.
CVE-2018-1000079
Path Traversal vulnerability during gem installation.
For Debian 8 'Jessie', these problems have been fixed in version
2.1.5-2+deb8u4.
We recommend that you upgrade your ruby2.1 packages.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues. | last seen | 2019-01-16 | modified | 2018-08-08 | plugin id | 111081 | published | 2018-07-16 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=111081 | title | Debian DLA-1421-1 : ruby2.1 security update |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DSA-4219.NASL | description | Several vulnerabilities were discovered in jruby, a Java
implementation of the Ruby programming language. They would allow an
attacker to use specially crafted gem files to mount cross-site
scripting attacks, cause denial of service through an infinite loop,
write arbitrary files, or run malicious code. | last seen | 2019-01-16 | modified | 2018-11-13 | plugin id | 110418 | published | 2018-06-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=110418 | title | Debian DSA-4219-1 : jruby - security update |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DSA-4259.NASL | description | Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may result in incorrect processing of
HTTP/FTP, directory traversal, command injection, unintended socket
creation or information disclosure.
This update also fixes several issues in RubyGems which could allow an
attacker to use specially crafted gem files to mount cross-site
scripting attacks, cause denial of service through an infinite loop,
write arbitrary files, or run malicious code. | last seen | 2019-01-16 | modified | 2018-11-13 | plugin id | 111468 | published | 2018-08-02 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=111468 | title | Debian DSA-4259-1 : ruby2.3 - security update |
NASL family | Amazon Linux Local Security Checks | NASL id | AL2_ALAS-2018-983.NASL | description | Path traversal when writing to a symlinked basedir outside of the root
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Directory Traversal vulnerability in install_location function of
package.rb that can result in path traversal when writing to a
symlinked basedir outside of the root. This vulnerability appears to
have been fixed in 2.7.6. (CVE-2018-1000073)
Improper verification of signatures in tarball allows to install
mis-signed gem :
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Improper Verification of Cryptographic Signature vulnerability in
package.rb that can result in a mis-signed gem could be installed, as
the tarball would contain multiple gem signatures.. This vulnerability
appears to have been fixed in 2.7.6. (CVE-2018-1000076)
Infinite loop vulnerability due to negative size in tar header causes
Denial of Service
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
infinite loop caused by negative size vulnerability in ruby gem
package tar header that can result in a negative size could cause an
infinite loop.. This vulnerability appears to have been fixed in
2.7.6. (CVE-2018-1000075)
Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary
code execution :
The 'lazy_initialize' function in lib/resolv.rb did not properly
process certain filenames. A remote attacker could possibly exploit
this flaw to inject and execute arbitrary commands. (CVE-2017-17790)
Missing URL validation on spec home attribute allows malicious gem to
set an invalid homepage URL :
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Improper Input Validation vulnerability in ruby gems specification
homepage attribute that can result in a malicious gem could set an
invalid homepage URL. This vulnerability appears to have been fixed in
2.7.6. (CVE-2018-1000077)
XSS vulnerability in homepage attribute when displayed via gem server
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Cross Site Scripting (XSS) vulnerability in gem server display of
homepage attribute that can result in XSS. This attack appear to be
exploitable via the victim must browse to a malicious gem on a
vulnerable gem server. This vulnerability appears to have been fixed
in 2.7.6. (CVE-2018-1000078)
Unsafe Object Deserialization Vulnerability in gem owner allowing
arbitrary code execution on specially crafted YAML
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Deserialization of Untrusted Data vulnerability in owner command that
can result in code execution. This attack appear to be exploitable via
victim must run the `gem owner` command on a gem with a specially
crafted YAML file. This vulnerability appears to have been fixed in
2.7.6. (CVE-2018-1000074)
Path traversal issue during gem installation allows to write to
arbitrary filesystem locations
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Directory Traversal vulnerability in gem installation that can result
in the gem could write to arbitrary filesystem locations during
installation. This attack appear to be exploitable via the victim must
install a malicious gem. This vulnerability appears to have been fixed
in 2.7.6. (CVE-2018-1000079) | last seen | 2019-01-16 | modified | 2018-04-18 | plugin id | 109136 | published | 2018-04-18 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=109136 | title | Amazon Linux 2 : ruby (ALAS-2018-983) |
NASL family | Amazon Linux Local Security Checks | NASL id | ALA_ALAS-2018-983.NASL | description | Path traversal when writing to a symlinked basedir outside of the root
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Directory Traversal vulnerability in install_location function of
package.rb that can result in path traversal when writing to a
symlinked basedir outside of the root. This vulnerability appears to
have been fixed in 2.7.6. (CVE-2018-1000073)
Improper verification of signatures in tarball allows to install
mis-signed gem :
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Improper Verification of Cryptographic Signature vulnerability in
package.rb that can result in a mis-signed gem could be installed, as
the tarball would contain multiple gem signatures.. This vulnerability
appears to have been fixed in 2.7.6. (CVE-2018-1000076)
Infinite loop vulnerability due to negative size in tar header causes
Denial of Service
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
infinite loop caused by negative size vulnerability in ruby gem
package tar header that can result in a negative size could cause an
infinite loop.. This vulnerability appears to have been fixed in
2.7.6. (CVE-2018-1000075)
Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary
code execution :
The 'lazy_initialize' function in lib/resolv.rb did not properly
process certain filenames. A remote attacker could possibly exploit
this flaw to inject and execute arbitrary commands. (CVE-2017-17790)
Missing URL validation on spec home attribute allows malicious gem to
set an invalid homepage URL :
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Improper Input Validation vulnerability in ruby gems specification
homepage attribute that can result in a malicious gem could set an
invalid homepage URL. This vulnerability appears to have been fixed in
2.7.6. (CVE-2018-1000077)
XSS vulnerability in homepage attribute when displayed via gem server
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Cross Site Scripting (XSS) vulnerability in gem server display of
homepage attribute that can result in XSS. This attack appear to be
exploitable via the victim must browse to a malicious gem on a
vulnerable gem server. This vulnerability appears to have been fixed
in 2.7.6. (CVE-2018-1000078)
Unsafe Object Deserialization Vulnerability in gem owner allowing
arbitrary code execution on specially crafted YAML
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Deserialization of Untrusted Data vulnerability in owner command that
can result in code execution. This attack appear to be exploitable via
victim must run the `gem owner` command on a gem with a specially
crafted YAML file. This vulnerability appears to have been fixed in
2.7.6. (CVE-2018-1000074)
Path traversal issue during gem installation allows to write to
arbitrary filesystem locations
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
Directory Traversal vulnerability in gem installation that can result
in the gem could write to arbitrary filesystem locations during
installation. This attack appear to be exploitable via the victim must
install a malicious gem. This vulnerability appears to have been fixed
in 2.7.6. (CVE-2018-1000079)
If a script accepts an external input and outputs it without
modification as a part of HTTP responses, an attacker can use newline
characters to deceive the clients that the HTTP response header is
stopped at there, and can inject fake HTTP responses after the newline
characters to show malicious contents to the clients.(CVE-2017-17742)
The Dir.mktmpdir method introduced by tmpdir library accepts the
prefix and the suffix of the directory which is created as the first
parameter. The prefix can contain relative directory specifiers '../',
so this method can be used to target any directory. So, if a script
accepts an external input as the prefix, and the targeted directory
has inappropriate permissions or the ruby process has inappropriate
privileges, the attacker can create a directory or a file at any
directory.(CVE-2018-6914)
If an attacker sends a large request which contains huge HTTP headers,
WEBrick try to process it on memory, so the request causes the
out-of-memory DoS attack.(CVE-2018-8777)
String#unpack receives format specifiers as its parameter, and can be
specified the position of parsing the data by the specifier @. If a
big number is passed with @, the number is treated as the negative
value, and out-of-buffer read is occurred. So, if a script accepts an
external input as the argument of String#unpack, the attacker can read
data on heaps.(CVE-2018-8778)
UNIXServer.open accepts the path of the socket to be created at the
first parameter. If the path contains NUL (\0) bytes, this method
recognize that the path is completed before the NUL bytes. So, if a
script accepts an external input as the argument of this method, the
attacker can make the socket file in the unintentional path. And,
UNIXSocket.open also accepts the path of the socket to be created at
the first parameter without checking NUL bytes like UNIXServer.open.
So, if a script accepts an external input as the argument of this
method, the attacker can accepts the socket file in the unintentional
path.(CVE-2018-8779)
Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the
target directory as their parameter. If the parameter contains NUL
(\0) bytes, these methods recognize that the path is completed before
the NUL bytes. So, if a script accepts an external input as the
argument of these methods, the attacker can make the unintentional
directory traversal.(CVE-2018-8780) | last seen | 2019-01-16 | modified | 2018-05-11 | plugin id | 108846 | published | 2018-04-06 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=108846 | title | Amazon Linux AMI : ruby20 / ruby22,ruby23,ruby24 (ALAS-2018-983) |
|