Webrick directory traversal exploit on UNIX

DSecRG Advisory #DSECRG-08-026 aka -018 describes a remote
directory traversal
exploit which appears to _only_ have been fixed for DOSISH
systems using 's.
See http://
www.securityfocus.com/archive/1/489205 for details.

When one runs

    telnet webrick-server
    GET //../../../../../../../../../etc/passwd HTTP/1.0

/etc/passwd is shown (=bad). This means that e.g.
ruby-1.8.5-p115 is still
vulnerable on UNIX.

-- 
Jos Backus
jos at catnook.com

Hi,

Jos Backus wrote:
> /etc/passwd is shown (=bad). This means that e.g.
ruby-1.8.5-p115 is still
> vulnerable on UNIX.
>   


First of all, thank you very much for reporting this.  We
will fix this 
issue as soon as possible.

But your posting this sensitive info on a public mailing
list cased a 
bit worrying situation where all existing WEBrick servers
are now facing a threat of attacks.  Next time would you
please send us 
security considerations for securityruby-lang.org?

To people running WEBrick servers:  we are now analyzing
this issue.  
This is my personal opinion but it is safer for you to stop
your 
processes (if possible) until we fix this.  Please stay
tuned for 
upcoming announces.

On Tue, Mar 11, 2008 at 2:52 PM, Jos Backus <joscatnook.com> wrote:
> DSecRG Advisory #DSECRG-08-026 aka -018 describes a
remote directory traversal
>  exploit which appears to _only_ have been fixed for
DOSISH systems using 's.
>  See http://
www.securityfocus.com/archive/1/489205 for details.
>
>  When one runs
>
>     telnet webrick-server
>     GET //../../../../../../../../../etc/passwd
HTTP/1.0
>
>  /etc/passwd is shown (=bad). This means that e.g.
ruby-1.8.5-p115 is still
>  vulnerable on UNIX.
>

The securityfocus link above appears to say that ONLY
DOS-like systems
are affected, not the reverse, as you indicate.
Am I reading it incorrectly?

On Mar 11, 2008, at 15:36 , Urabe Shyouhei wrote:

> But your posting this sensitive info on a public
mailing list cased  
> a bit worrying situation where all existing WEBrick
servers
> are now facing a threat of attacks.  Next time would
you please send  
> us security considerations for securityruby-lang.org?

I sent Jos here. I figured that was fine because the issue
IS public  
and was reported as resolved:

   http://
www.securityfocus.com/archive/1/489205

says:

> fixed on 03.03.2008.
>
> http://www.ruby-lang.org/en/news/2008/03
/03/webrick-file-access-vulnerab
> ility/
>
> Patches can be downloaded here:
>
> 1.8 series
> Please upgrade to 1.8.5-p115 or 1.8.6-p114.
>
<URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p115
.tar.gz>  
> (md5sum: 20ca6cc87eb077296806412feaac0356)
>
<URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p114
.tar.gz>  
> (md5sum: 500a9f11613d6c8ab6dcf12bec1b3ed3)
> 1.9 series
> Please apply the following patch to
lib/webrick/httpservlet/ 
> filehandler.rb.
>
<URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-1-we
brick-vulnerabi
> lity-fix.diff> (md5sum:
b7b58aed40fa1609a67f53cfd3a13257)

On Wed, Mar 12, 2008 at 07:55:36AM +0900, Wilson Bilkovich
wrote:
[snip]
> The securityfocus link above appears to say that ONLY
DOS-like systems
> are affected, not the reverse, as you indicate.
> Am I reading it incorrectly?
 
No, it was my mistake. The application that tripped the
Nessus alarm used to
be hosted by Webrick but is now hosted by what turns out to
be a vulnerable
version of Mongrel. Upgrading the Mongrel fixes the issue.

-- 
Jos Backus
jos at catnook.com

On Wed, Mar 12, 2008 at 07:36:54AM +0900, Urabe Shyouhei
wrote:
> Hi,
> 
> Jos Backus wrote:
>> /etc/passwd is shown (=bad). This means that e.g.
ruby-1.8.5-p115 is still
>> vulnerable on UNIX.
>>   
> 
> 
> First of all, thank you very much for reporting this. 
We will fix this 
> issue as soon as possible.
> 
> But your posting this sensitive info on a public
mailing list cased a bit 
> worrying situation where all existing WEBrick servers
> are now facing a threat of attacks.  Next time would
you please send us 
> security considerations for securityruby-lang.org?
> 
> To people running WEBrick servers:  we are now
analyzing this issue.  This 
> is my personal opinion but it is safer for you to stop
your processes (if 
> possible) until we fix this.  Please stay tuned for
upcoming announces.

I'm so sorry. It's a false alarm. The reason we were
confused was because a
colleague brought the directory traversal bug in our web
application to our
attention. Doing some googling I found the recently fixed
bug in Webrick,
thinking there had to be another issue at hand, hence the
email. Further
inspection of our setup revealed that we are running a
vulnerable version of
Mongrel, not Webrick. We used to run Webrick for this app
which explains why I
was thinking the problem was with Webrick.

In short, it's a (since fixed) Mongrel issue, Webrick is
_not_ vulnerable. My
sincere apologies for the false alarm. Thank you for your
quick response and
caring.

-- 
Jos Backus
jos at catnook.com

On Wed, Mar 12, 2008 at 07:36:54AM +0900, Urabe Shyouhei
wrote:
> But your posting this sensitive info on a public
mailing list cased a bit 
> worrying situation where all existing WEBrick servers
> are now facing a threat of attacks.  Next time would
you please send us 
> security considerations for securityruby-lang.org?

I will certainly do so. Thank you for the address.

-- 
Jos Backus
jos at catnook.com