Proof of concept opens up new avenue of security research

Ethical hackers have opened a new frontier in security research by demonstrating that deserialization vulnerabilities in the Ruby programming language can create a remote code execution (RCE) vulnerability.

Serialization* involves converting a programming object into a series of bytes that can be stored on the filesystem or database. These bytes include the data and metadata required to reconstruct the original object, through a process called deserialization.

Deserialization outside defined bounds is a known class of security vulnerability. Flaws of this type have previously been demonstrated in PHP, .Net, and Java.

Problems in this area are far from academic. For example, insecure deserialization came in at eighth in the OWASP Top 10 Most Critical Web Application Security Risks for 2017 (the latest available edition).

Security researchers at Australian firm elttam have shown how deserializing user input in Ruby – previously considered risky – offers a means to push malicious code onto vulnerable systems.

More specifically, they proved how a gadget chain might be used as a technique to leverage an object-deserialization vulnerability into a proof-of-concept RCE attack.

Luke Jahnke of elttam explains how to achieve arbitrary deserialization for the Ruby programming language before using gadget chain to achieve arbitrary command execution for Ruby 2.x in a blog post.

Many programming frameworks are affected by deserialization, but Java has faced the greatest challenges in this area, prompting Oracle to drop deserialization support from the Java language’s standard package, as a long-term goal and part of Project Amber.

*Ruby uses the terms ‘marshalling’ and ‘unmarshalling’ to refer to serialization and deserialization