RubyĿ¼±éÀú©¶´£¨CVE-2021-28966£©

Ðû²¼Ê±¼ä 2021-04-07

0x00 ©¶´¸ÅÊö

CVE  ID

CVE-2021-28966

ʱ    ¼ä

2021-04-07

Àà   ÐÍ

Ŀ¼±éÀú

µÈ    ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°Ï췶Χ


PoC/EXP

δ¹ûÈ»

ÔÚÒ°ÀûÓÃ


 

0x01 ©¶´ÏêÇé

image.png

 

RubyÊÇÒ»ÖÖ¼òµ¥µÄ¡¢ÃæÏò¹¤¾ßµÄ·¨Ê½Éè¼Æ½Å±¾ÓïÑÔ ¡£

2021Äê04ÔÂ05ÈÕ£¬Ruby¹Ù·½Ðû²¼Äþ¾²Í¨¸æ£¬¹ûÈ»ÁËWindowsÉÏÓëRubyÀ¦°óÔÚÒ»ÆðµÄtmpdir¿âÖеÄÒ»¸öĿ¼±éÀú©¶´£¨CVE-2021-28966£© ¡£

tmpdir¿âÒýÈëµÄDir.mktmpdirÒªÁ콫µÚÒ»¸ö²ÎÊý×÷Ϊ´´½¨µÄĿ¼µÄǰ׺ºÍºó׺£¬¶øÇÒǰ׺¿ÉÒÔ°üÂÞÏà¶ÔµÄĿ¼ָ¶¨·û¡±..\\¡±,ÓÉÓÚ¸ÃÒªÁì¿ÉÓÃÓÚ¶¨Î»ÈκÎĿ¼£¬Òò´Ë¹¥»÷Õß¿Éͨ¹ýÀûÓôË©¶´½øÐÐĿ¼±éÀú£¬¶øÇÒÈç¹û½Å±¾½ÓÊÜÍⲿÊäÈë×÷Ϊǰ׺£¬ÇÒRuby½ø³Ì¾ßÓнϸߵÄȨÏÞʱ£¬¹¥»÷Õß¿ÉÒÔÔÚÈκÎĿ¼Öд´½¨Ä¿Â¼»òÎļþ ¡£

 

Ó°Ï췶Χ

Ruby <= 2.7.2

Ruby = 3.0.0

 

0x02 ´¦Öý¨Òé

Ä¿Ç°¸Ã©¶´ÒѾ­ÐÞ¸´£¬½¨Ò鼰ʱ¸üÐÂÖÁ×îа汾 ¡£

ÏÂÔØÁ´½Ó£º

https://www.ruby-lang.org/en/news/2021/04/05/ruby-3-0-1-released/

 

0x03 ²Î¿¼Á´½Ó

https://www.ruby-lang.org/en/news/2021/04/05/tempfile-path-traversal-on-windows-cve-2021-28966/

https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28965

 

0x04 ʱ¼äÏß

2021-04-05  RubyÐû²¼Äþ¾²Í¨¸æ

2021-04-07  VSRCÐû²¼Äþ¾²Í¨¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png