Developers have patched a popular Ruby library for parsing and converting AsciiDoc files to safeguard servers against a newly discovered command injection vulnerability.
Command injection vulnerabilities allow an attacker to execute arbitrary operating system commands on the server that is running an application, typically resulting in the complete compromise of the application and all its data.
The Ruby library in question, asciidoctor-include-ext, is an extension for the Asciidoctor library which adds the ability to include remote URLs and local files into AsciiDoc documents. It was built to be an extensible library.
Piping malicious commands
Joern Schneeweisz, a security engineer at GitLab, discovered that he could force asciidoctor-include-ext to execute arbitrary commands by feeding crafted input strings to the tool.
“[asciidoctor-include-ext] made use of `open`/`IO.foreach` to include files and URLs. Both methods can be used to execute commands when you prepend a pipe symbol like `|some_command –some argument` to read from that command’s standard output instead of a file,” Schneeweisz told The Daily Swig.
A successful attack would provide an adversary with any rights given to the compromised process rendering the AsciiDoc file. The bug was given a critical 10.0 CVSS score.
“It’s a bit concerning as the vulnerability can be triggered in the normal rendering of asciidoctor documents which use this extension,” Schneeweisz said. “The exploit itself is easy enough, a sample has been published in the commit message for the fix.”
Decades-old vector
Interestingly, this class of vulnerability was first identified in 2015. At the time, security researcher Egor Homakov detailed in a blog post how Ruby wrapper libraries such as the ones used in asciidoctor-include-ext could be exploited for remote code execution (RCE) attacks.
“Ruby’s open-uri default behavior is very dangerous and prone to RCE bugs like this,” Homakov told The Daily Swig.
“It definitely should have been removed or split up into different functions e.g., openSystem (with pipe |), openURI (for URI) and openFile (for files) to remove ambiguity and security risk. I guess nobody cared enough to fix it. Such things stay ‘status quo’ until some very critical vulnerability is found to take an action.”
“I think the way of having a | [pipe] prepended to read a command instead of a file is just not too widely known behavior in those Ruby methods,” Schneeweisz said. “It’s easy to miss and also easy to exploit in most cases.”
