Listen to this Post
How the CVE Works:
The vulnerability exists within the Rack::RequestPOST method. When a request with a Content-Type of “application/x-www-form-urlencoded” is processed, the code calls rack.input.read(nil). The `nil` argument instructs the method to read the entire request body with no size limit. This operation happens before any configured parameter size limits (params_limit) are enforced. Consequently, an attacker can send an extremely large, single request body. The server will blindly read this entire body into its process memory as a single Ruby String, leading to excessive memory allocation. This exhausts the available memory on the server, causing a Denial of Service (DoS) condition either through severe performance degradation or by triggering an Out-of-Memory (OOM) killer that terminates the application process.
Platform: Ruby Rack
Version: < 2.2.6.4, < 3.0.5.1
Vulnerability: Memory Exhaustion
Severity: Critical
date: 2023-01-10
Prediction: Patch 2023-01-17
What Undercode Say:
`curl -X POST -H “Content-Type: application/x-www-form-urlencoded” –data “param=$(dd if=/dev/zero bs=1M count=1000 | base64)” http://target.com/path`
`strace -e trace=read -p </h2>
<h2 style="color: blue;">cat /proc//status | grep VmSize</h2>
<h2 style="color: blue;">How Exploit:</h2>
<h2 style="color: blue;">Send large urlencoded POST.</h2>
<h2 style="color: blue;">Protection from this CVE:</h2>
<h2 style="color: blue;">Update Rack version.</h2>
<h2 style="color: blue;">Nginxclient_max_body_size`.
</h2>
<h2 style="color: blue;">cat /proc/</h2>
<h2 style="color: blue;">How Exploit:</h2>
<h2 style="color: blue;">Send large urlencoded POST.</h2>
<h2 style="color: blue;">Protection from this CVE:</h2>
<h2 style="color: blue;">Update Rack version.</h2>
<h2 style="color: blue;">Nginxclient_max_body_size`.Impact:
Application crash.
Server memory exhaustion.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
