神刀安全网

Discovery and disclosure of vulnerabilities found in Nokogiri

We recently discovered and disclosed two vulnerabilities in Nokogiri , a popular Ruby library. This is a great example of a “Copy-Paste Vulnerability” (CPV), so I wanted to share some details on how we discovered, verified, and disclosed these issues.

You can read up on the vulnerabilities in our Registry:

These issues were not found in Nokigiri directly, but in an embedded version of the C libraries libxml2 and libxslt. The Nokigiri team responded quickly and has released a fixed version, v1.6.8.

Discovery

I started by investigating a few libxml2 vulnerabilities ( CVE-2016-4447 , CVE-2016-4448 , CVE-2016-4449 ), looking for instances of Copy-paste Vulnerabilities. This is when libraries statically build and embed another library to use in its packages. As you might guess, these are pretty hard to track. I looked at Nokogiri’s dependencies and then installed the gem to verify that the affected version of libxml2, as well as libxslt, were being used.

I verified that vulnerable versions of both libraries were being used. Specifically, Nokogiri was found to be vulnerable to:

  • CVE-2016-4447 , which is caused when a heap-based buffer underread happens in xmlParseName in parser.c . It is potentially vulnerable if an application processes arbitrary, untrusted, user-supplied XML file

  • CVE-2016-4448 , where it is possible to carry out format string attacks

  • CVE-2016-4449 , where the parser would fetch the content of external entities while in non-validating mode

  • CVE-2015-7995 , where attackers can cause a Denial of Service (DoS) attack with a specially crafted XSLT document. The vulnerability exists due to a type confusion issue in the preprocessing attribute where the xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element

  • Furthermore, when verifying our discovery, the Nokogiri maintainers identified a vulnerability in libxslt as well: CVE-2015-7995

Disclosure Timeline

In keeping with our co-ordinated disclosure policy , I started by reaching out to the Nokogiri maintainers via email to notify them.

The rest of the dislosure timeline looks like this:

  • 05/26/2016 – Email notification to the Nokogiri maintainers
  • 05/27/2016 – The maintainers acknowledged the issue
  • 05/28/2016 – The maintainers asked for additional information
  • 05/30/2016 – We responded with additional details
  • 05/31/2016 – The maintainers notified me of an additional vulnerability (CVE-2015-7995) they discovered in another embedded C library, libxslt 1.1.28
  • 05/31/2016 – The maintainers created a GitHub Issue to track their fix
  • 06/01/2016 – SourceClear published the vulnerability artifacts in our Registry ([1], [2])
  • 06/06/2016 – A fixed version (1.6.8) of Nokogiri is released

Postscript

Detecting Copy-paste Vulnerabilities is uniquely challenging, but we’re always glad for the opportunity to put our research skills to work in making the open source community safer.

If you’re interested to know more about how we find such Copy-paste Vulnerabilities, you can vote for Vanessa Henderson’s talk at the next Hack In The Box conference in Singapore , where she will cover several detection and mitigation strategies.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Discovery and disclosure of vulnerabilities found in Nokogiri

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址