CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket

Posted by usa on 28 Mar 2018

There is a unintentional socket creation vulnerability in UNIXServer.open method of socket library bundled with Ruby. And there is also a unintentional socket access vulnerability in UNIXSocket.open method. This vulnerability has been assigned the CVE identifier CVE-2018-8779.

Details

UNIXServer.open accepts the path of the socket to be created at the first parameter. If the path contains NUL (\0) bytes, this method recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of this method, the attacker can make the socket file in the unintentional path. And, UNIXSocket.open also accepts the path of the socket to be created at the first parameter without checking NUL bytes like UNIXServer.open. So, if a script accepts an external input as the argument of this method, the attacker can accepts the socket file in the unintentional path.

All users running an affected release should upgrade immediately.

Affected Versions

• Ruby 2.2 series: 2.2.9 and earlier
• Ruby 2.3 series: 2.3.6 and earlier
• Ruby 2.4 series: 2.4.3 and earlier
• Ruby 2.5 series: 2.5.0 and earlier
• Ruby 2.6 series: 2.6.0-preview1
• prior to trunk revision r62991

Credit

Thanks to ooooooo_q for reporting the issue.

History

• Originally published at 2018-03-28 14:00:00 (UTC)