cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Jenia_Vinokurov
Legacy Employee
Legacy Employee

A new article was recently published by vakzz regarding the latest version of a known Universal deserialization gadget for Ruby 2.x-3.x 

OWASP Deserialization Description:

"Data which is untrusted cannot be trusted to be well-formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized."

It is often convenient to serialize objects for convenient communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions.

The published gadget is universal, meaning it will only depend on the existence of classes that are shipped with the default installation of Ruby. Thus, it will be able to execute arbitrary code in any Ruby application. In recent years many gadgets were discovered that allowed to hack the Ruby-based applications that later were patched.

In the new article, the Universal gadget is relevant to a vulnerable application based on the Ruby on Rails Web framework that deserializes User Input via the Marshal.load”  class method.

The new universal gadget uses a new chain consisting of both previously known classes and unique ones that have not been encountered before:

"\x04\b[\bc\x15Gem::SpecFetcherc\x13Gem::InstallerU:\x15Gem::Requirement[\x06o:\x1CGem::Package::TarReader\x06:\b@ioo:\x14Net::BufferedIO\a;\ao:#Gem::Package::TarReader::Entry\a:\n@readi\x00:\f@headerI\"\baaa\x06:\x06ET:\x12@debug_outputo:\x16Net::WriteAdapter\a:\f@socketo:\x14Gem::RequestSet\a:\n@setso;\x0E\a;\x0Fm\vKernel:\x0F@method_id:\vsystem:\r@git_setI\"\aid\x06;\fT;\x12:\fresolve"

The following request was sent to a Ruby-based web application using the described gadgets:

Screenshot:

0EM1T000002KFXd.png


Mitigation with BIG-IP Advanced WAF

Advanced WAF customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Ruby Universal Deserialization Gadget attack signatures, which can be found in signature sets that include the "Server-Side Code Injection" attack type or "Ruby" System.

The specific signatures:

       200004478, 200004479, 200004480

Screenshot:

0EM1T000002KAQh.png

0EM1T000002KAQi.png

We will also be releasing a more accurate signature to detect this specific new gadget.

Relevant links:

·       https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html

·       https://www.elttam.com/blog/ruby-deserialization/

Version history
Last update:
‎11-Jan-2021 11:14
Updated by:
Contributors