Unintentional file creation caused by inserting an illegal NUL character (CVE-2012-4522)

Posted by usa on 12 Oct 2012

A vulnerability was found that file creation routines can create unintended files by strategically inserting NUL(s) in file paths. This vulnerability has been reported as CVE-2012-4522.

Details

Ruby can handle arbitrary binary patterns as Strings, including NUL chars. On the other hand OSes and other libraries tend not. They usually treat a NUL as an End of String mark. So to interface them with Ruby, NUL chars should properly be avoided.

However methods like IO#open did not check the filename passed to them, and just passed those strings to lower layer routines. This led to create unintentional files like this:

p File.exists?("foo")      #=> false
open("foo\0bar", "w") { |f| f.puts "hai" }
p File.exists?("foo")      #=> true
p File.exists?("foo\0bar") #=> raises ArgumentError

Affected versions

• All Ruby 1.9.3 prior to patchlevel 286
• All development branches of Ruby 2.0.0 prior to revision r37163

Solution

Upgrade to a latest version.

Credit

This issue was reported by Peter Bex.

Updates

• Fixed typo at 2012-10-19 14:54:49 JST.
• Added a mention about CVE number at 2012-10-16 08:58:51 JST.
• Originally published at 2012-10-12 19:19:55 JST.