Arbitrary end of a string by using Nullbyte's symbol (Ruby 1.9.3p194)

A couple of days ago I was doing a dummy app using RoR 3.2.12 and ruby
1.9.3p194… so after play with the params for a while i realized that
i’m able to skip the file extension by doing
‘’’
file="…/…/…/…/…/etc/passwd\c0000"
@data= File.read(‘public/’+file+’.txt’)
‘’’
just like the old PHP versions or some Java versions… so I though it
was a RoR’s bug. therefore I decided to report it with Aron Patterson
(from RoR sec-mailist ). who politely has helped me to figure out that
this is a bug in ruby 1.9.3p194 version.

The weirdest thing is that I’ve tested in older versions
(ruby-1.9.2-p320) getting a right outcome from my point of view [
ArgumentError (string contains null byte) ] but this one particularly
build skip that exception…

So my question should be… Is there any particular reason why in version
of ruby 1.9.3p194 the “string contains null byte” exception is not
deployed?

thanks in advance!

Christian Yerena

On Wed, Mar 27, 2013 at 6:53 PM, Preth H. [email protected] wrote:

this is a bug in ruby 1.9.3p194 version.

The weirdest thing is that I’ve tested in older versions
(ruby-1.9.2-p320) getting a right outcome from my point of view [
ArgumentError (string contains null byte) ] but this one particularly
build skip that exception…

So my question should be… Is there any particular reason why in version
of ruby 1.9.3p194 the “string contains null byte” exception is not
deployed?

Maybe because there are no null bytes in your example?

irb(main):012:0> file=“…/…/…/…/…/etc/passwd\c0000”
=> “…/…/…/…/…/etc/passwd\u0010000”
irb(main):013:0> file.chars.to_a
=> [“.”, “.”, “/”, “.”, “.”, “/”, “.”, “.”, “/”, “.”, “.”, “/”, “.”,
“.”, “/”, “e”, “t”, “c”, “/”, “p”, “a”, “s”, “s”, “w”, “d”, “\u0010”,
“0”, “0”, “0”]
irb(main):014:0> file.chars.each {|c| p c}
“.”
“.”
“/”
“.”
“.”
“/”
“.”
“.”
“/”
“.”
“.”
“/”
“.”
“.”
“/”
“e”
“t”
“c”
“/”
“p”
“a”
“s”
“s”
“w”
“d”
“\u0010”
“0”
“0”
“0”
=> “…/…/…/…/…/etc/passwd\u0010000”

Even if there were, this seems completely legal:

irb(main):015:0> s=“a\0b”
=> “a\u0000b”
irb(main):016:0> s.length
=> 3
irb(main):017:0> s.bytesize
=> 3
irb(main):018:0> s.chars.to_a
=> [“a”, “\u0000”, “b”]

But maybe I’m not getting what your issue is.

Kind regards

robert

Robert K. wrote in post #1103402:

On Wed, Mar 27, 2013 at 6:53 PM, Preth H. [email protected] wrote:

this is a bug in ruby 1.9.3p194 version.

The weirdest thing is that I’ve tested in older versions
(ruby-1.9.2-p320) getting a right outcome from my point of view [
ArgumentError (string contains null byte) ] but this one particularly
build skip that exception…

So my question should be… Is there any particular reason why in version
of ruby 1.9.3p194 the “string contains null byte” exception is not
deployed?

Maybe because there are no null bytes in your example?

irb(main):012:0> file=“…/…/…/…/…/etc/passwd\c0000”
=> “…/…/…/…/…/etc/passwd\u0010000”
irb(main):013:0> file.chars.to_a
=> [“.”, “.”, “/”, “.”, “.”, “/”, “.”, “.”, “/”, “.”, “.”, “/”, “.”,
“.”, “/”, “e”, “t”, “c”, “/”, “p”, “a”, “s”, “s”, “w”, “d”, “\u0010”,
“0”, “0”, “0”]
irb(main):014:0> file.chars.each {|c| p c}
“.”
“.”
“/”
“.”
“.”
“/”
“.”
“.”
“/”
“.”
“.”
“/”
“.”
“.”
“/”
“e”
“t”
“c”
“/”
“p”
“a”
“s”
“s”
“w”
“d”
“\u0010”
“0”
“0”
“0”
=> “…/…/…/…/…/etc/passwd\u0010000”

Even if there were, this seems completely legal:

irb(main):015:0> s=“a\0b”
=> “a\u0000b”
irb(main):016:0> s.length
=> 3
irb(main):017:0> s.bytesize
=> 3
irb(main):018:0> s.chars.to_a
=> [“a”, “\u0000”, “b”]

But maybe I’m not getting what your issue is.

Kind regards

robert

thanks about the note… try it with “\0”

$ruby -v
ruby 1.9.3p194 (2012-04-20 revision 35410) [x86_64-darwin12.0.0]
$ irb
1.9.3-p194-perf :003 > file=“…/…/…/…/…/etc/passwd\0”
=> “…/…/…/…/…/etc/passwd\u0000”
1.9.3-p194-perf :004 > @data= File.read(‘public/’+file+‘.txt’)
=> "##\n# User Database\n# \n# Note that this file is consulted
directly only when the system is running\n# in single-user mode. At
other times this information is provided by\n# Open Directory.\n#\n# See
the opendirectoryd(8) man page for additional information about\n# Open
Directory.\n##\nnobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin
"…

so the question is still open:
Is there any particular reason why in ruby 1.9.3p194 version the
“string contains null byte” exception is not deployed?

thanks in advance.

On Wed, Mar 27, 2013 at 7:51 PM, Preth H. [email protected] wrote:

of ruby 1.9.3p194 the “string contains null byte” exception is not
irb(main):014:0> file.chars.each {|c| p c}
“.”
“s”

$ irb
1.9.3-p194-perf :003 > file=“…/…/…/…/…/etc/passwd\0”
=> “…/…/…/…/…/etc/passwd\u0000”
1.9.3-p194-perf :004 > @data= File.read(‘public/’+file+‘.txt’)
=> "##\n# User Database\n# \n# Note that this file is consulted
directly only when the system is running\n# in single-user mode. At
other times this information is provided by\n# Open Directory.\n#\n# See
the opendirectoryd(8) man page for additional information about\n# Open
Directory.\n##\nnobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin
"…

p194 is not the newest one. Maybe that version has a bug?

$ echo 111 >a
$ echo 222 >a.txt
$ ruby -e ‘p File.read(“a\0.txt”)’
-e:1:in read': string contains null byte (ArgumentError) from -e:1:in ’
$ ruby -v
ruby 1.9.3p385 (2013-02-06 revision 39114) [i386-cygwin]

Cheers

robert