RubyĿ¼±éÀú·ì϶£¨CVE-2021-28966£©

°ä²¼¹¦·ò 2021-04-07

0x00 ·ì϶¸ÅÊö

CVE  ID

CVE-2021-28966

ʱ    ¼ä

2021-04-07

Àà   ÐÍ

Ŀ¼±éÀú

µÈ    ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò


PoC/EXP

δ¹«¿ª

ÔÚÒ°ÀûÓÃ


 

0x01 ·ì϶ÏêÇé

image.png

 

RubyÊÇÒ»ÖÖµ¥Ò»µÄ¡¢ÃæÏò¶ÔÏóµÄ·¨Ê½Éè¼Æ¾ç±¾Ëµ»°¡£

2021Äê04ÔÂ05ÈÕ£¬Ruby¹Ù·½°ä²¼°²È«²¼¸æ£¬¹«¿ªÁËWindowsÉÏÓëRuby°ó¸¿ÔÚһ·µÄtmpdir¿âÖеÄÒ»¸öĿ¼±éÀú·ì϶£¨CVE-2021-28966£©¡£

tmpdir¿âÒýÈëµÄDir.mktmpdir²½Ö轫µÚÒ»¸ö²ÎÊý×÷Ϊ´´½¨µÄĿ¼µÄǰ׺ºÍºó׺£¬²¢ÇÒǰ׺Äܹ»Ô̺¬Ïà¶ÔµÄĿ¼ָ¶¨·û¡±..\\¡±,ÓÉÓڸò½Öè¿ÉÓÃÓÚ¶¨Î»ÈκÎĿ¼£¬Òò¶ø¹¥»÷Õß¿Éͨ¹ýÀûÓô˷ì϶½øÐÐĿ¼±éÀú£¬²¢ÇÒÈôÊǾ籾½ÓÊÜ±í²¿ÊäÈë×÷Ϊǰ׺£¬ÇÒRuby¹ý³ÌÓµÓнϸߵÄȨÏÞʱ£¬¹¥»÷ÕßÄܹ»ÔÚÖ°ºÎĿ¼Öд´½¨Ä¿Â¼»òÎļþ¡£

 

Ó°ÏìÁìÓò

Ruby <= 2.7.2

Ruby = 3.0.0

 

0x02 ´ëÖý¨Òé

Ä¿Ç°¸Ã·ì϶ÒѾ­½¨¸´£¬½¨Òéʵʱ¸üÐÂÖÁ×îа汾¡£

ÏÂÔØÁ´½Ó£º

https://www.ruby-lang.org/en/news/2021/04/05/ruby-3-0-1-released/

 

0x03 ²Î¿¼Á´½Ó

https://www.ruby-lang.org/en/news/2021/04/05/tempfile-path-traversal-on-windows-cve-2021-28966/

https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28965

 

0x04 ¹¦·òÏß

2021-04-05  Ruby°ä²¼°²È«²¼¸æ

2021-04-07  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png