RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN

How to Exploit Ruby 2.x Universal RCE Deserialization Gadget Chain

Ruby is a popular programming language that supports serialization and deserialization of objects using the Marshal class. Serialization is the process of converting an object into a series of bytes that can be stored or transferred, while deserialization is the process of reconstructing the object from the bytes. However, deserialization of untrusted data can lead to serious security vulnerabilities, such as arbitrary code execution.

In this article, we will explain what is Ruby 2.x Universal RCE Deserialization Gadget Chain, how it works, and how to exploit it to gain remote code execution on a vulnerable Ruby application. We will also provide some tips on how to prevent this attack and secure your Ruby applications.

What is Ruby 2.x Universal RCE Deserialization Gadget Chain

Ruby 2.x Universal RCE Deserialization Gadget Chain is a technique that allows an attacker to execute arbitrary commands on a Ruby application by crafting a malicious serialized object that contains a chain of gadgets. Gadgets are pieces of code that are already available in the application or its dependencies, and that can be invoked by the deserializer to perform some actions. By chaining multiple gadgets together, an attacker can achieve remote code execution.

This technique was first discovered and published by Luke Jahnke from elttam in 2018[^1^], and it works on all Ruby versions from 2.0 to 2.7. However, it was patched in Ruby 2.7.3 and Rails 6.1.1, so it no longer works on newer versions. Fortunately, William Bowling (vakzz) found a new gadget chain that works on all Ruby versions from 2.x to 3.x[^2^], and released it in January 2021.

How does Ruby 2.x Universal RCE Deserialization Gadget Chain work

The basic idea behind Ruby 2.x Universal RCE Deserialization Gadget Chain is to use the Marshal.load method to deserialize a specially crafted object that contains a chain of gadgets that will execute a system command. The object can be delivered to the application through various means, such as a cookie, a parameter, or a file upload.

The gadget chain consists of four main components:

A Net::BufferedIO object that wraps a Gem::Package::TarReader::Entry object

A Gem::Package::TarReader object that has its io instance variable set to the Net::BufferedIO object

A Gem::Requirement object that has its requirements instance variable set to the Gem::Package::TarReader object

A Gem::RequestSet object that has its sets instance variable set to a Net::WriteAdapter object that wraps a Kernel module

The deserialization process will trigger the following sequence of events:

The Net::BufferedIO object will call its read method on the Gem::Package::TarReader::Entry object

The Gem::Package::TarReader::Entry object will call its header method on its debug_output instance variable, which is set to another Net::BufferedIO object

The second Net::BufferedIO object will call its io method on its io instance variable, which is set to the same Gem::Package::TarReader::Entry object

The Gem::Package::TarReader::Entry object will call its read method again, but this time with an argument of 512 bytes

The read method will return the first 512 bytes of the serialized data, which contains the string \"abc\"

The header method will try to parse the string \"abc\" as a tar header, but it will fail and raise an exception

The exception will be caught by the Gem::Package::TarReader object, which will call its each method on its io instance variable, which is set to the first Net::BufferedIO object

The each method will try to iterate over the entries in the tar file, but it will fail and raise another exception

The second exception will be caught by the Gem::Requirement object, which will call its yaml_initialize method on its requirements instance variable aa16f39245