RubyĿ¼±éÀú·ì϶£¨CVE-2021-28966£©

°ä²¼¹¦·ò 2021-04-07

0x00 ·ì϶¸ÅÊö

CVE  ID

CVE-2021-28966

ʱ    ¼ä

2021-04-07

Àà   ÐÍ

Ŀ¼±éÀú

µÈ    ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò


PoC/EXP

δ¹«¿ª

ÔÚÒ°ÀûÓÃ


 

0x01 ·ì϶ÏêÇé

image.png

 

RubyÊÇÒ»ÖÖµ¥Ò»µÄ¡¢ÃæÏò¶ÔÏóµÄ·¨Ê½Éè¼Æ¾ç±¾Ëµ»°¡£¡£¡£¡£ ¡£¡£

2021Äê04ÔÂ05ÈÕ£¬£¬ £¬£¬£¬Ruby¹Ù·½°ä²¼°²È«²¼¸æ£¬£¬ £¬£¬£¬¹«¿ªÁËWindowsÉÏÓëRuby°ó¸¿ÔÚһ·µÄtmpdir¿âÖеÄÒ»¸öĿ¼±éÀú·ì϶£¨CVE-2021-28966£©¡£¡£¡£¡£ ¡£¡£

tmpdir¿âÒýÈëµÄDir.mktmpdir²½Ö轫µÚÒ»¸ö²ÎÊý×÷Ϊ´´½¨µÄĿ¼µÄǰ׺ºÍºó׺£¬£¬ £¬£¬£¬²¢ÇÒǰ׺Äܹ»Ô̺¬Ïà¶ÔµÄĿ¼ָ¶¨·û¡±..\\¡±,ÓÉÓڸò½Öè¿ÉÓÃÓÚ¶¨Î»ÈκÎĿ¼£¬£¬ £¬£¬£¬Òò¶ø¹¥»÷Õß¿Éͨ¹ýÀûÓô˷ì϶½øÐÐĿ¼±éÀú£¬£¬ £¬£¬£¬²¢ÇÒÈôÊǾ籾½ÓÊÜ±í²¿ÊäÈë×÷Ϊǰ׺£¬£¬ £¬£¬£¬ÇÒRuby¹ý³ÌÓµÓнϸߵÄȨÏÞʱ£¬£¬ £¬£¬£¬¹¥»÷ÕßÄܹ»ÔÚÖ°ºÎĿ¼Öд´½¨Ä¿Â¼»òÎļþ¡£¡£¡£¡£ ¡£¡£

 

Ó°ÏìÁìÓò

Ruby <= 2.7.2

Ruby = 3.0.0

 

0x02 ´ëÖý¨Òé

Ä¿Ç°¸Ã·ì϶ÒѾ­½¨¸´£¬£¬ £¬£¬£¬½¨Òéʵʱ¸üÐÂÖÁ×îа汾¡£¡£¡£¡£ ¡£¡£

ÏÂÔØÁ´½Ó£º

https://www.ruby-lang.org/en/news/2021/04/05/ruby-3-0-1-released/

 

0x03 ²Î¿¼Á´½Ó

https://www.ruby-lang.org/en/news/2021/04/05/tempfile-path-traversal-on-windows-cve-2021-28966/

https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28965

 

0x04 ¹¦·òÏß

2021-04-05  Ruby°ä²¼°²È«²¼¸æ

2021-04-07  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png