Posted by Urabe Shyouhei on 10 Jan 2010
A vulnerability was found on WEBrick, a part of Ruby's standard library. WEBrick lets attackers to inject malicious escape sequences to its logs, making it possible for dangerous control characters to be executed on a victim's terminal emulator.
We already have a fix for it. Releases for every active branches are to follow this announce. But for a meantime, we recommend you to avoid looking at your WEBrick logs, until you update your WEBrick process.
Terminal escape sequences are used to allow various forms of interaction between a terminal and a inside process. The problem is that those sequences are not intended to be issued by untrusted sources; such as network inputs. So if a remote attacker could inject escape sequences into WEBrick logs, and a victim happen to consult them through his/her terminal, the attacker could take advantages of various weaknesses in terminal emulators.
And WEBrick fails to filter those terminal escape sequences.
% xterm -e ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port=>8080).start' & % wget http://localhost:8080/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
Watch out for the window title of xterm.
- Ruby 1.8.6 patchlevel 383 and all prior versions
- Ruby 1.8.7 patchlevel 248 and all prior versions
- Development versions of Ruby 1.8 (1.8.8dev)
- Ruby 1.9.1 patchlevel 376 and all prior versions
- Development versions of Ruby 1.9 (1.9.2dev)
- Fixes for 1.8.6, 1.8.7, and 1.9.1 are to follow this announce.
- Update 1.8.7 pl. 249 was released to fix this issue. 1.8.7 users are encouraged to upgrade.
- Update 1.9.1 pl. 378 was released to fix this issue. 1.9.1 users are encouraged to upgrade.
- Update 1.8.6 pl. 388 was released to fix this issue. 1.8.6 users are encouraged to upgrade.
- For development versions, please update to the most recent revision for each development branch.
Credit to Giovanni "evilaliv3" Pellerano, Alessandro "jekil" Tanasi, and Francesco "ascii" Ongaro for discovering this vulnerability.