Thursday, 3 January 2013

On exploiting CVE-2012-5664...

Just a quick write-up on this, I will probably do an exercise on it soon, like I did for the previous bug in ActiveRecord. It's pretty trivial to exploit if you have the right condition...

The right condition being: the ability to send symbols to activerecord. When you read the advisory, you could think that this bug could be exploited by only doing something around: http://vulnerable/?id[select]=SQL.

However, ActiveSupport (a Rails core library that is used by ActiveRecord) prevents this since it ensures the keys are valid, and make sure the keys are symbols:

 def assert_valid_keys(*valid_keys)
          unknown_keys = keys - [valid_keys].flatten
          raise(ArgumentError, "Unknown key(s): #{unknown_keys.join(", ")}") unless unknown_keys.empty? 

From my testing the following keys are valid: :conditions, :include, :joins, :limit, :offset, :extend, :order, :select, :readonly, :group, :having, :from, :lock. And since Ruby cares about data type (ie: the string "select" and the symbol :select are not the same thing):

>> ["select"] - [:select]
=> ["select"]

It can't be trivially exploit like in the URL above. I can't think of any way to bypass this at the moment... However, if you can modify a rack session for example (especially if you don't sign them since you think they don't contain anything worth tampering), it's trivial to exploit ;)