Ruby and omniauth
Ruby and omniauth: Sometime they are back. In a world where modern programming languages take care about memory it’s uncommon to talk about buffer overflows.
As described in the original post, a special crafted string when converted to its floating point representation, it can cause an heap based buffer overflow.
Buffer overflows can cause the program to stop due to segmentation fault error (and this can be seen as a denial of service to the target application) or to arbitrary code execution if the instruction pointer register is successfully overwritten by the address of the malicious code.
Writing shellcodes is an art. I’m not that good in writing shellcodes but we will go deep in understanding what a buffer overflow is in future posts.
More importan is that “…any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.”
This means that every code taking output from the external and turning it to a floating pointer number is vulnerable.
Ruby interpreters affected by this vulnerability are:
- All ruby 1.8 versions
- All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 484
- All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 353
- All ruby 2.1 versions prior to ruby 2.1.0 preview2
- prior to trunk revision 43780