Coordinated Disclosure Timeline
- 2022-09-07: Sent report to Fat Free CRM maintainers
- 2022-09-12: Maintainers acknowledged the existence of this vulnerability and started looking similar vulnerabilities
- 2022-10-07: Advisory was published
Summary
A denial of service vulnerability existed in Fat Free CRM where an authenticated attacker could have prevented the web application from handling any requests.
Product
Fat Free CRM
Tested Version
Details
Issue: Remote Denial of Service (GHSL-2022-073
)
An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. Fat Free CRM exposes several Task update endpoints that pass params[:bucket]
to the bucket_empty? method, which calls send
with the user-controllable bucket
parameter as argument. Ruby’s send
method calls any private or public method on an object including methods defined on parent classes such as Object
and BasicObject
. The Kernel
module is included by the class Object
, so its methods are available in every Ruby object.
Most public information about this type of vulnerability mentions the Kernel methods exit
and exit!
as destructive examples to pass to the send
method. However, in a Rails application this throws an exception and while it shuts the current request down, it doesn’t kill the server. We found out that the Kernel method sleep
might be a better candidate to stop a Rails application from answering requests. Calling sleep
without a duration parameter will make the current request thread sleep forever.
So, if a Rails application is started with a maximum of 5 threads (RAILS_MAX_THREADS=5
) in combination with 2 Puma workers (WEB_CONCURRENCY=2
) it will take 10 (2*5) requests to stop the Rails application from responding to any requests.
This vulnerability was found using a CodeQL query which identifies code injection.
Proof of concept
The following request sets the params[:bucket]
to sleep
, which the application will be evaluated as send("sleep")
:
curl -i -s -k -X $'PUT' \
-H $'Host: 127.0.0.1:3000' -H $'Content-Length: 14' -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Connection: close' \
-b $'_fat_free_crm_session=[..]' \
--data-binary $'bucket=sleep' \
$'http://127.0.0.1:3000/tasks/26/complete'
(Hint: replace the X-CSRF-Token
header and the _fat_free_crm_session
cookie with valid (authenticated) values)
Impact
This issue may lead to Denial of Service (DOS).
Resources
CVE
- CVE-2022-39281
Credit
This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2022-073
in any communication regarding this issue.