Vulnerabilities > CVE-2016-2337 - Remote Code Execution vulnerability in Ruby TclTkIp 'ip_cancel_eval()' Function Type Confusion

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
ruby-lang
nessus

Summary

Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution. <a href="http://cwe.mitre.org/data/definitions/843.html">CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')</a>

Vulnerable Configurations

Part Description Count
Application
Ruby-Lang
2

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3365-1.NASL
    descriptionIt was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147) Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855) Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly handled certain crafted strings. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-7551) It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequences. A remote attacker could possibly use this issue to inject SMTP commands. (CVE-2015-9096) Marcin Noga discovered that Ruby incorrectly handled certain arguments in a TclTkIp class method. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2337) It was discovered that Ruby Fiddle::Function.new incorrectly handled certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2339) It was discovered that Ruby incorrectly handled the initialization vector (IV) in GCM mode. An attacker could possibly use this issue to bypass encryption. (CVE-2016-7798). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101974
    published2017-07-26
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101974
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities (USN-3365-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3365-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101974);
      script_version("3.7");
      script_cvs_date("Date: 2019/09/18 12:31:47");
    
      script_cve_id("CVE-2009-5147", "CVE-2015-1855", "CVE-2015-7551", "CVE-2015-9096", "CVE-2016-2337", "CVE-2016-2339", "CVE-2016-7798");
      script_xref(name:"USN", value:"3365-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities (USN-3365-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that Ruby DL::dlopen incorrectly handled opening
    libraries. An attacker could possibly use this issue to open libraries
    with tainted names. This issue only applied to Ubuntu 14.04 LTS.
    (CVE-2009-5147)
    
    Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the
    Ruby OpenSSL extension incorrectly handled hostname wildcard matching.
    This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855)
    
    Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly
    handled certain crafted strings. An attacker could use this issue to
    cause a denial of service, or possibly execute arbitrary code. This
    issue only applied to Ubuntu 14.04 LTS. (CVE-2015-7551)
    
    It was discovered that Ruby Net::SMTP incorrectly handled CRLF
    sequences. A remote attacker could possibly use this issue to inject
    SMTP commands. (CVE-2015-9096)
    
    Marcin Noga discovered that Ruby incorrectly handled certain arguments
    in a TclTkIp class method. An attacker could possibly use this issue
    to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS.
    (CVE-2016-2337)
    
    It was discovered that Ruby Fiddle::Function.new incorrectly handled
    certain arguments. An attacker could possibly use this issue to
    execute arbitrary code. This issue only affected Ubuntu 14.04 LTS.
    (CVE-2016-2339)
    
    It was discovered that Ruby incorrectly handled the initialization
    vector (IV) in GCM mode. An attacker could possibly use this issue to
    bypass encryption. (CVE-2016-7798).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3365-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libruby1.9.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libruby2.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libruby2.3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ruby1.9.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ruby2.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ruby2.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"libruby1.9.1", pkgver:"1.9.3.484-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"libruby2.0", pkgver:"2.0.0.484-1ubuntu2.4")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"ruby1.9.1", pkgver:"1.9.3.484-2ubuntu1.3")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"ruby2.0", pkgver:"2.0.0.484-1ubuntu2.4")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libruby2.3", pkgver:"2.3.1-2~16.04.2")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"ruby2.3", pkgver:"2.3.1-2~16.04.2")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"libruby2.3", pkgver:"2.3.3-1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"ruby2.3", pkgver:"2.3.3-1ubuntu0.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libruby1.9.1 / libruby2.0 / libruby2.3 / ruby1.9.1 / ruby2.0 / etc");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201710-18.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201710-18 (Ruby: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Ruby. Please review the referenced CVE identifiers for details. Impact : A remote attacker could execute arbitrary code, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id103911
    published2017-10-18
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103911
    titleGLSA-201710-18 : Ruby: Multiple vulnerabilities
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1050.NASL
    descriptionAccording to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the Fiddle::Function.new
    last seen2020-05-06
    modified2017-05-01
    plugin id99895
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99895
    titleEulerOS 2.0 SP1 : ruby (EulerOS-SA-2017-1050)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1051.NASL
    descriptionAccording to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the Fiddle::Function.new
    last seen2020-05-06
    modified2017-05-01
    plugin id99896
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99896
    titleEulerOS 2.0 SP2 : ruby (EulerOS-SA-2017-1051)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1480.NASL
    descriptionSeveral vulnerabilities were discovered in Ruby 2.1. CVE-2016-2337 Type confusion exists in _cancel_eval Ruby
    last seen2020-06-01
    modified2020-06-02
    plugin id112167
    published2018-08-29
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112167
    titleDebian DLA-1480-1 : ruby2.1 security update

Seebug

bulletinFamilyexploit
description### DESCRIPTION Type Confusion exists in canceleval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution. ### TESTED VERSIONS Ruby 2.3.0 dev Ruby 2.2.2 Tcl/Tk8.6 or later ### PRODUCT URLs https://www.ruby-lang.org ### DETAILS Vulnerable code: ``` ---------------------------------------------- code --------------------------------------------- Line 7761 static VALUE Line 7762 ip_cancel_eval(argc, argv, self) Line 7763 int argc; Line 7764 VALUE *argv; Line 7765 VALUE self; Line 7766 { Line 7767 VALUE retval; Line 7768 Line 7769 if (rb_scan_args(argc, argv, "01", &retval) == 0) { Line 7770 retval = Qnil; Line 7771 } Line 7772 if (ip_cancel_eval_core(get_ip(self)->ip, retval, 0) == TCL_OK) { Line 7773 return Qtrue; Line 7774 } else { Line 7775 return Qfalse; Line 7776 } Line 7777 } Line 7736 static int Line 7737 ip_cancel_eval_core(interp, msg, flag) Line 7738 Tcl_Interp *interp; Line 7739 VALUE msg; Line 7740 int flag; Line 7741 { Line 7742 #if TCL_MAJOR_VERSION < 8 || (TCL_MAJOR_VERSION == 8 && TCL_MINOR_VERSION < 6) Line 7743 rb_raise(rb_eNotImpError, Line 7744 "cancel_eval is supported Tcl/Tk8.6 or later."); Line 7745 Line 7746 UNREACHABLE; Line 7747 #else Line 7748 Tcl_Obj *msg_obj; Line 7749 Line 7750 if (NIL_P(msg)) { Line 7751 msg_obj = NULL; Line 7752 } else { Line 7753 msg_obj = Tcl_NewStringObj(RSTRING_PTR(msg), RSTRING_LEN(msg)); Line 7754 Tcl_IncrRefCount(msg_obj); Line 7755 } Line 7756 Line 7757 return Tcl_CancelEval(interp, msg_obj, 0, flag); Line 7758 #endif Line 7759 } ---------------------------------------------- code --------------------------------------------- ``` In line 7769 "canceleval" method argument is parse out into "retval" variable. Next this variable is passed to "ipcanceleval_core" function (line 7772). In line 7753 we can see that our "retval" variable which in this function is passed as "msg" argument is treated as String object.Passing object different than String we will cause type confusion vulnerability in this line. ### TIMELINE * 2015-06-18 - Initial Discovery * 2015-06-30 - Vendor Notification * 2016—06-14 - Public Disclosure
idSSV:96756
last seen2017-11-19
modified2017-10-20
published2017-10-20
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-96756
titleRuby TclTkIp ip_cancel_eval Type Confusion Vulnerabilities(CVE-2016-2337)

Talos

idTALOS-2016-0031
last seen2019-05-29
published2016-06-14
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0031
titleRuby TclTkIp ip_cancel_eval Type Confusion Vulnerabilities