CVE-2018-8780
published 2018-04-03CVE-2018-8780: In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty?…
PriorityP351critical9.1CVSS 3.0
AVNACLPRNUINSUCHIHAN
EPSS
10.10%
95.1th percentile
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_high_sierra_10.13.6_security_update_2018-004_sierra_security_update_2018-0 | — | — |
| apple | macos_mojave_10.14.1_security_update_2018-002_high_sierra_security_update_2018-0 | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| ruby-lang | ruby | < 2.2.10 | 2.2.10 |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.5.1-r0 | 2.5.1-r0 |
| ruby-lang | ruby | >= 0 < 2.3.7-r0 | 2.3.7-r0 |
CVSS provenance
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.1CRITICAL
vendor_redhat9.1CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fphx-j9v2-w2cx: In Ruby before 2
ghsa_unreviewed·2022-05-14
CVE-2018-8780 [CRITICAL] CWE-22 GHSA-fphx-j9v2-w2cx: In Ruby before 2
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed.
OSV
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
osv·2018-04-16·CVSS 7.5
CVE-2018-6914 [HIGH] ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
It was discovered that Ruby incorrectly handled certain inputs. An attacker
could possibly use this to execute arbitrary code. (CVE-2018-6914)
It was discovered that Ruby incorrectly handled certain inputs. An attacker
could possibly use this to access sensitive information. (CVE-2018-8778,
CVE-2018-8780)
It was discovered that Ruby incorrectly handled certain inputs. An attacker
could possibly use this to connect to an unintended socket. (CVE-2018-8779)
OSV
CVE-2018-8780: In Ruby before 2
osv·2018-04-03·CVSS 9.1
CVE-2018-8780 [CRITICAL] CVE-2018-8780: In Ruby before 2
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed.
Apple
CVE-2018-8780: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
vendor_apple·2018-10-30·CVSS 9.1
CVE-2018-8780 [CRITICAL] CVE-2018-8780: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
Apple Security Update: About the security content of macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
Product: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
CVE: CVE-2018-8780
Component: CVE-2018-8780
Apple
CVE-2018-8780: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
vendor_apple·2018-07-09·CVSS 9.1
CVE-2018-8780 [CRITICAL] CVE-2018-8780: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
Apple Security Update: About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
Product: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
CVE: CVE-2018-8780
Component: CVE-2018-8780
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2018-04-16·CVSS 7.5
CVE-2018-6914 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled certain inputs. An attacker
could possibly use this to execute arbitrary code. (CVE-2018-6914)
It was discovered that Ruby incorrectly handled certain inputs. An attacker
could possibly use this to access sensitive information. (CVE-2018-8778,
CVE-2018-8780)
It was discovered that Ruby incorrectly handled certain inputs. An attacker
could possibly use this to connect to an unintended socket. (CVE-2018-8779)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
ruby: Unintentional directory traversal by poisoned NULL byte in Dir
vendor_redhat·2018-03-28·CVSS 9.1
CVE-2018-8780 [CRITICAL] CWE-626 ruby: Unintentional directory traversal by poisoned NULL byte in Dir
ruby: Unintentional directory traversal by poisoned NULL byte in Dir
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed.
It was found that the methods from the Dir class did not properly handle strings containing the NULL byte. An attacker, able to inject NULL bytes in a path, could possibly trigger an unspecified behavior of the ruby script.
Statement: This issue affects the versions of ruby as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additi
No detection rules found.
No public exploits indexed.
CTF
fileserver / README
ctf_writeups·2019
fileserver / README
# Fileserver (web, 345p, 39 solved)
In the challenge we get access to a custom made http server.
We can easily look around and recover the [source code](fileserver.rb).
There are 2 problems here to solve:
1. We don't know the flag file name, and we know it's random and pretty long, so we need either RCE or directory listing
2. In order to do anything fancy, we need to bypass the bad_char check with some special characters
## Bad char check
The check is:
```ruby
def is_bad_path(path)
bad_char = nil
%w(* ? [ { \\).each do |char|
if path.include? char
bad_char = char
break
end
end
if bad_char.nil?
false
else
# check if brackets are paired
if bad_char == ?{
path[path.index(bad_char)..].include? ?}
elsif bad_char == ?[
path[path.index(bad_char)..].include? ?]
else
true
end
end
end
```
Bugzilla
CVE-2018-8780 ruby: Unintentional directory traversal by poisoned NULL byte in Dir
bugzilla·2018-03-29·CVSS 9.1
CVE-2018-8780 [CRITICAL] CVE-2018-8780 ruby: Unintentional directory traversal by poisoned NULL byte in Dir
CVE-2018-8780 ruby: Unintentional directory traversal by poisoned NULL byte in Dir
Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the target directory as their parameter. If the parameter contains NUL (\0) bytes, these methods recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of these methods, the attacker can make the unintentional directory traversal.
Affected versions:
Ruby 2.2 series: 2.2.9 and earlier
Ruby 2.3 series: 2.3.6 and earlier
Ruby 2.4 series: 2.4.3 and earlier
Ruby 2.5 series: 2.5.0 and earlier
External References:
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1561957]
Bugzilla
CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 ruby: various flaws [fedora-all]
bugzilla·2018-03-29·CVSS 5.3
CVE-2017-17742 [MEDIUM] CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 ruby: various flaws [fedora-all]
CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 ruby: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this i
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.htmlhttp://www.securityfocus.com/bid/103739http://www.securitytracker.com/id/1042004https://access.redhat.com/errata/RHSA-2018:3729https://access.redhat.com/errata/RHSA-2018:3730https://access.redhat.com/errata/RHSA-2018:3731https://access.redhat.com/errata/RHSA-2019:2028https://access.redhat.com/errata/RHSA-2020:0542https://access.redhat.com/errata/RHSA-2020:0591https://access.redhat.com/errata/RHSA-2020:0663https://lists.debian.org/debian-lts-announce/2018/04/msg00023.htmlhttps://lists.debian.org/debian-lts-announce/2018/04/msg00024.htmlhttps://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://usn.ubuntu.com/3626-1/https://www.debian.org/security/2018/dsa-4259https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.htmlhttp://www.securityfocus.com/bid/103739http://www.securitytracker.com/id/1042004https://access.redhat.com/errata/RHSA-2018:3729https://access.redhat.com/errata/RHSA-2018:3730https://access.redhat.com/errata/RHSA-2018:3731https://access.redhat.com/errata/RHSA-2019:2028https://access.redhat.com/errata/RHSA-2020:0542https://access.redhat.com/errata/RHSA-2020:0591https://access.redhat.com/errata/RHSA-2020:0663https://lists.debian.org/debian-lts-announce/2018/04/msg00023.htmlhttps://lists.debian.org/debian-lts-announce/2018/04/msg00024.htmlhttps://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://usn.ubuntu.com/3626-1/https://www.debian.org/security/2018/dsa-4259https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/
2018-04-03
Published