Apologies for cross-posting to the Faye, Ruby and Node lists, but I need to get the word out.
This afternoon I discovered a vulnerability in the Faye pub/sub messaging server that allows an attacker to invoke arbitrary methods from the Server object, and any methods it inherits from Object. If you are running Faye in production, YOU MUST UPGRADE to either 0.8.8, 0.7.2 or 0.6.8 to fix this problem. Please contact the Faye mailing list at [email protected] if you have questions. Specifically, it allows any of these methods to be invoked with the following argument list: Ruby: a JSON-derived Hash, the value `false`, and a block JavaScript: a JSON-derived object, the value `false`, a function, and the Server instance itself In Ruby this is a particular problem since many built-in methods for starting child processes, writing to stdout, etc, are implemented as methods on Object. All of these can be invoked, as well as anything added to Object by libraries like ActiveSupport. In many cases the types and number of arguments will raise an error before any code is invoked, but some methods succeed in running with the above arguments. It is not clear at this point whether this code allows remote code execution. I have checked eval(), exec(), the ` method and system(), and they all fail with the above arguments: >> __send__(:`, value, false) {} ArgumentError: wrong number of arguments(2 for 1) from (irb):16:in ``' from (irb):16 from /home/james/.rbenv/versions/1.9.3-p286/bin/irb:12:in `<main>' >> __send__(:eval, value, false) {} TypeError: can't convert Hash into String from (irb):17:in `eval' from (irb):17 from /home/james/.rbenv/versions/1.9.3-p286/bin/irb:12:in `<main>' >> __send__(:exec, value, false) {} TypeError: can't convert false into String from (irb):18:in `exec' from (irb):18 from /home/james/.rbenv/versions/1.9.3-p286/bin/irb:12:in `<main>' >> __send__(:system, value, false) {} TypeError: can't convert false into String from (irb):19:in `system' from (irb):19 from /home/james/.rbenv/versions/1.9.3-p286/bin/irb:12:in `<main>' However some methods like puts() and p() do work: >> __send__(:p, value, false) {} {"channel"=>"/meta/p"} false => [{"channel"=>"/meta/p"}, false] >> __send__(:puts, value, false) {} {"channel"=>"/meta/p"} false => nil You can also invoke various meta-programming methods, and invoke methods on the Faye Server to cause weird protocol violations and stack overflows. The above-listed releases fix this problem by white-listing the callable methods to only those that are designed to handle incoming messages. All other methods generate a protocol error that is reported back to the client. In addition, the Ruby server, prior to this patch, generated Symbols from user input, and this has also been disabled. Please contact me directly if you have further insight into the effects of this vulnerability. The patch, should you need to apply it yourself, is here: https://github.com/faye/faye/commit/730d364893bae2ca6cdd05da398bd58aa670d634 -- James Coglan http://jcoglan.com +44 (0) 7771512510 -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
