Mitigating Universal Ruby RCE Deserialization Gadget with Advanced WAF
A new article was recently published by vakzz regarding the latest version of a known Universal deserialization gadget for Ruby 2.x-3.x
OWASP Deserialization Description:
"Data which is untrusted cannot be trusted to be well-formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized."
It is often convenient to serialize objects for convenient communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions.
The published gadget is universal, meaning it will only depend on the existence of classes that are shipped with the default installation of Ruby. Thus, it will be able to execute arbitrary code in any Ruby application. In recent years many gadgets were discovered that allowed to hack the Ruby-based applications that later were patched.
In the new article, the Universal gadget is relevant to a vulnerable application based on the Ruby on Rails Web framework that deserializes User Input via the “Marshal.load” class method.
The new universal gadget uses a new chain consisting of both previously known classes and unique ones that have not been encountered before:
"\x04\b[\bc\x15Gem::SpecFetcherc\x13Gem::InstallerU:\x15Gem::Requirement[\x06o:\x1CGem::Package::TarReader\x06:\b@ioo:\x14Net::BufferedIO\a;\ao:#Gem::Package::TarReader::Entry\a:\n@readi\x00:\f@headerI\"\baaa\x06:\x06ET:\x12@debug_outputo:\x16Net::WriteAdapter\a:\f@socketo:\x14Gem::RequestSet\a:\n@setso;\x0E\a;\x0Fm\vKernel:\x0F@method_id:\vsystem:\r@git_setI\"\aid\x06;\fT;\x12:\fresolve"
The following request was sent to a Ruby-based web application using the described gadgets:
Screenshot:
Mitigation with BIG-IP Advanced WAF
Advanced WAF customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Ruby Universal Deserialization Gadget attack signatures, which can be found in signature sets that include the "Server-Side Code Injection" attack type or "Ruby" System.
The specific signatures:
200004478, 200004479, 200004480
Screenshot:
We will also be releasing a more accurate signature to detect this specific new gadget.
Relevant links:
· https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html