Vulnerabilities > CVE-2016-2337 - Unspecified vulnerability in Ruby-Lang Ruby 2.2.2/2.3.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3365-1.NASL description It was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147) Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855) Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly handled certain crafted strings. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-7551) It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequences. A remote attacker could possibly use this issue to inject SMTP commands. (CVE-2015-9096) Marcin Noga discovered that Ruby incorrectly handled certain arguments in a TclTkIp class method. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2337) It was discovered that Ruby Fiddle::Function.new incorrectly handled certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2339) It was discovered that Ruby incorrectly handled the initialization vector (IV) in GCM mode. An attacker could possibly use this issue to bypass encryption. (CVE-2016-7798). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101974 published 2017-07-26 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101974 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities (USN-3365-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3365-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(101974); script_version("3.7"); script_cvs_date("Date: 2019/09/18 12:31:47"); script_cve_id("CVE-2009-5147", "CVE-2015-1855", "CVE-2015-7551", "CVE-2015-9096", "CVE-2016-2337", "CVE-2016-2339", "CVE-2016-7798"); script_xref(name:"USN", value:"3365-1"); script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities (USN-3365-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147) Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855) Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly handled certain crafted strings. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-7551) It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequences. A remote attacker could possibly use this issue to inject SMTP commands. (CVE-2015-9096) Marcin Noga discovered that Ruby incorrectly handled certain arguments in a TclTkIp class method. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2337) It was discovered that Ruby Fiddle::Function.new incorrectly handled certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2339) It was discovered that Ruby incorrectly handled the initialization vector (IV) in GCM mode. An attacker could possibly use this issue to bypass encryption. (CVE-2016-7798). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3365-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libruby1.9.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libruby2.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libruby2.3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ruby1.9.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ruby2.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ruby2.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/24"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|16\.04|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"libruby1.9.1", pkgver:"1.9.3.484-2ubuntu1.3")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libruby2.0", pkgver:"2.0.0.484-1ubuntu2.4")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"ruby1.9.1", pkgver:"1.9.3.484-2ubuntu1.3")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"ruby2.0", pkgver:"2.0.0.484-1ubuntu2.4")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libruby2.3", pkgver:"2.3.1-2~16.04.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"ruby2.3", pkgver:"2.3.1-2~16.04.2")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"libruby2.3", pkgver:"2.3.3-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"ruby2.3", pkgver:"2.3.3-1ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libruby1.9.1 / libruby2.0 / libruby2.3 / ruby1.9.1 / ruby2.0 / etc"); }
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201710-18.NASL description The remote host is affected by the vulnerability described in GLSA-201710-18 (Ruby: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Ruby. Please review the referenced CVE identifiers for details. Impact : A remote attacker could execute arbitrary code, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 103911 published 2017-10-18 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103911 title GLSA-201710-18 : Ruby: Multiple vulnerabilities NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1050.NASL description According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the Fiddle::Function.new last seen 2020-05-06 modified 2017-05-01 plugin id 99895 published 2017-05-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99895 title EulerOS 2.0 SP1 : ruby (EulerOS-SA-2017-1050) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1051.NASL description According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the Fiddle::Function.new last seen 2020-05-06 modified 2017-05-01 plugin id 99896 published 2017-05-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99896 title EulerOS 2.0 SP2 : ruby (EulerOS-SA-2017-1051) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1480.NASL description Several vulnerabilities were discovered in Ruby 2.1. CVE-2016-2337 Type confusion exists in _cancel_eval Ruby last seen 2020-06-01 modified 2020-06-02 plugin id 112167 published 2018-08-29 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112167 title Debian DLA-1480-1 : ruby2.1 security update
Seebug
bulletinFamily | exploit |
description | ### DESCRIPTION Type Confusion exists in canceleval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution. ### TESTED VERSIONS Ruby 2.3.0 dev Ruby 2.2.2 Tcl/Tk8.6 or later ### PRODUCT URLs https://www.ruby-lang.org ### DETAILS Vulnerable code: ``` ---------------------------------------------- code --------------------------------------------- Line 7761 static VALUE Line 7762 ip_cancel_eval(argc, argv, self) Line 7763 int argc; Line 7764 VALUE *argv; Line 7765 VALUE self; Line 7766 { Line 7767 VALUE retval; Line 7768 Line 7769 if (rb_scan_args(argc, argv, "01", &retval) == 0) { Line 7770 retval = Qnil; Line 7771 } Line 7772 if (ip_cancel_eval_core(get_ip(self)->ip, retval, 0) == TCL_OK) { Line 7773 return Qtrue; Line 7774 } else { Line 7775 return Qfalse; Line 7776 } Line 7777 } Line 7736 static int Line 7737 ip_cancel_eval_core(interp, msg, flag) Line 7738 Tcl_Interp *interp; Line 7739 VALUE msg; Line 7740 int flag; Line 7741 { Line 7742 #if TCL_MAJOR_VERSION < 8 || (TCL_MAJOR_VERSION == 8 && TCL_MINOR_VERSION < 6) Line 7743 rb_raise(rb_eNotImpError, Line 7744 "cancel_eval is supported Tcl/Tk8.6 or later."); Line 7745 Line 7746 UNREACHABLE; Line 7747 #else Line 7748 Tcl_Obj *msg_obj; Line 7749 Line 7750 if (NIL_P(msg)) { Line 7751 msg_obj = NULL; Line 7752 } else { Line 7753 msg_obj = Tcl_NewStringObj(RSTRING_PTR(msg), RSTRING_LEN(msg)); Line 7754 Tcl_IncrRefCount(msg_obj); Line 7755 } Line 7756 Line 7757 return Tcl_CancelEval(interp, msg_obj, 0, flag); Line 7758 #endif Line 7759 } ---------------------------------------------- code --------------------------------------------- ``` In line 7769 "canceleval" method argument is parse out into "retval" variable. Next this variable is passed to "ipcanceleval_core" function (line 7772). In line 7753 we can see that our "retval" variable which in this function is passed as "msg" argument is treated as String object.Passing object different than String we will cause type confusion vulnerability in this line. ### TIMELINE * 2015-06-18 - Initial Discovery * 2015-06-30 - Vendor Notification * 2016—06-14 - Public Disclosure |
id | SSV:96756 |
last seen | 2017-11-19 |
modified | 2017-10-20 |
published | 2017-10-20 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-96756 |
title | Ruby TclTkIp ip_cancel_eval Type Confusion Vulnerabilities(CVE-2016-2337) |
Talos
id | TALOS-2016-0031 |
last seen | 2019-05-29 |
published | 2016-06-14 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0031 |
title | Ruby TclTkIp ip_cancel_eval Type Confusion Vulnerabilities |
References
- http://www.securityfocus.com/bid/91233
- http://www.securityfocus.com/bid/91233
- http://www.talosintelligence.com/reports/TALOS-2016-0031/
- http://www.talosintelligence.com/reports/TALOS-2016-0031/
- https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
- https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
- https://security.gentoo.org/glsa/201710-18
- https://security.gentoo.org/glsa/201710-18