Github: Understanding Unsafe Deserialization Vulnerabilities in Ruby Projects

Unsafe deserialization vulnerabilities in Ruby projects can enable attackers to execute arbitrary commands on remote servers by sending JSON data. According to The GitHub Blog, these vulnerabilities occur when the deserialization process allows the instantiation of arbitrary classes or class-like structures specified in the serialized data.

How Unsafe Deserialization Works

In Ruby, unsafe deserialization vulnerabilities are often exploited through libraries that support polymorphism, such as the Oj JSON serialization library. Attackers can chain multiple classes together to execute code on the system under attack. These classes, known as gadgets, are combined into a gadget chain to form a larger exploit.

For instance, when using the Oj library for deserializing JSON, a project can be vulnerable if it includes a construct like:

data = Oj.load(untrusted_json)

The Oj library, by default, supports the instantiation of classes specified in JSON, which can be disabled by using Oj.safe_load instead.

To demonstrate how this works, consider a class named SimpleClass with a hash method that executes a command:

class SimpleClass
  def initialize(cmd)
    @cmd = cmd
  end

  def hash
    system(@cmd)
  end
end

A JSON payload to instantiate this class might look like:

{
    "^o": "SimpleClass",
    "cmd": "open -a calculator"
}

Loading this JSON with Oj.load would not trigger the hash method directly, but placing the class inside a hash as the key can trigger the method:

Oj.load(json_payload)

This would execute the command specified in the @cmd member variable.

Building a Detection Gadget

To detect unsafe deserialization vulnerabilities, one can build a detection gadget chain. For example, a class like Gem::Requirement can be used, which has a hash method that calls to_s on an internal member. By creating a suitable JSON payload, one can trigger this chain to detect vulnerabilities.

The detection gadget can also be extended to a full-fledged remote code execution (RCE) chain. This involves using classes and methods that are part of Ruby or its dependencies to execute arbitrary commands.

Preventing Unsafe Deserialization

To prevent such vulnerabilities, it is crucial to use safe deserialization methods. For example, using Oj.safe_load instead of Oj.load can prevent the instantiation of arbitrary classes. Additionally, tools like CodeQL can help detect unsafe deserialization by analyzing the source code for vulnerable patterns.

For developers with access to the source code, GitHub’s code scanning with CodeQL can identify unsafe deserialization sinks. If the source code is not accessible, detection gadgets can be used to identify vulnerabilities remotely.

Understanding how unsafe deserialization works and implementing secure coding practices can help avoid these vulnerabilities. For more detailed examples and detection methodologies, refer to the original blog post by The GitHub Blog.