-
-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Infinite loop calling to_json on ActiveModel::Name #130
Comments
corresponding oss-security entry http://www.openwall.com/lists/oss-security/2015/03/06/7 |
Yep, it's a DoS vulnerability. |
At a first look, I don't see the angle... but if there is an actual danger (read: a means by which an attacker could inject an |
I think the possibility of DDoS is just assumed due to the presence of an infinite looping behaviour - rather than any particular method to coerce an app to actually trigger the bug. |
https://cxsecurity.com/issue/WLB-2015030039 has the same title Ruby on Rails ActiveModel::Name to_json Call Infinite Loop Remote DoS as this issue. |
After reaching out to the Rails Security team last night, I quickly received this response:
|
I still think this could be used as a DoS. An attacker could send a request to trigger the infinite |
OTOH, this infinite loop is reproducible every time. So it's unlikely an attacker could somehow trigger this, but it somehow would not trigger under normal circumstances. |
I still don't understand how this is anything more than a bug.
@postmodern what requests? If you have an endpoint that evals user input, DoS is the least of your concerns. If you don't... how is an attacker going to invoke this method? The fact that |
@matthewd I was trying to imagine a scenario where a specific route accepted params to control what data to include into a JSON response or possibly the value to call What would make this a DoS vuln is if an attacker could somehow trigger the infinite loop with a specially crafted request, but normally the loop wouldn't be triggered. The attacker could then repeatedly hammer the web server with such requests, causing the app to consume CPU and degrade performance. This is similar to how the Slowloris vulnerability or how the famous LOIC DDoS tool worked. |
100% agree on this. An attacker-triggerable infinite loop is a DoS by definition. We just haven't advanced past "if application code calls an infinite loop, then an attacker could trigger an infinite loop", which is a tautology, not a framework vulnerability. I don't see how you trick an application into getting an Again, there are a whole raft of methods on a You're the security expert here, not me, but I still feel pretty strongly about this: The existence of a method does not a framework vulnerability make: it needs to be exploitable1 in some way for it to be a danger. Without a theoretical means of invoking it, this is at worst a bug, and is incidentally one of many ways an attacker could "escalate" some other RCE into a DoS. If the framework creates a vulnerability in an application only when it has an unreasonable combination of configuration options, that's still a framework vulnerability. But it's not a framework vulnerability that it's possible for an application to define a route that does Footnotes
|
The problem is
You could have an instance method on the model which returns def query_json
value = if params[:field] == 'name'
MyModel.model_name
elsif params[:id]
MyModel.find(params[:id])
end
render json: value
end
The problem with this analogy is that
That is a destructive operation and would only run once. Subsequent
And what if to exploit the vulnerable method, the developer needs to allow calling the method in some sort of exotic scenario or configuration? A vulnerability does not have to be 100% automatically remotely exploitable in order to be considered a vulnerability. Vulnerabilities often require certain user configurations or certain usages. This is why many DoS vulnerabilities are marked as "potential DoS" or include the phrase "under certain circumstances".
See the above example which does not require RCE to trigger. While it may be contrived, it's certainly plausible. I have seen stranger database ORM formatting code. |
It's contrived to literally call a method that always infinitely loops [up to the affected versions]. That's not a tricked app, that's a broken app. It's not the kernel's fault for carry the network packet, and it's not ruby's fault for implementing recursion. It is the framework's fault for having a method that when called will always get stuck -- but it's not a vulnerability until the application goes out of its way to expose the ability to call that method. The fact that
If it is your position that any bug is by definition a vulnerability (because if an app is "tricked" into calling it, that will result in different behaviour than a developer theoretically expected), then I will agree that this bug fell into that bucket.
Yes, your CPU will be safe... but I think your users might find their service is still denied thereafter. But my point was just that in discussing potential vulnerabilities, I think we need to put some effort into identifying a possible definition of the "somehow", not merely hand-wave it away.
Exotic, yes. That's what I said here:
We have a history of security releases that describe complex multi-prereq scenarios for an application to be vulnerable, backing that up. But exotic is not artificial. An application could throw a model name into There is a world of difference between "using the framework in an unusual way", and "writing independently exploitable code in the vicinity of the framework". If every possible broken-by-design application is a framework vulnerability, then I think you eliminate the communication value in enumerating vulnerabilities at all.
That's an example of something that's morally an eval, and is an RCE. Please don't do that. 😄 |
Asked the great and wise Kurt Seifried, and he states this does not warrant a CVE, but an open source Rails application which managed to trigger the bug would get it's own CVE. So closing this. |
Do we add an advisory on this?
http://osvdb.org/show/osvdb/118954
rails/rails#19055
rails/rails#19050
The text was updated successfully, but these errors were encountered: