Introduction

A security flaw in Square’s open source project “Squash” was fixed silently by the developers June 24th, which I happened to have stumbled upon but not disclosed at the time. But since I couldn’t find an advisory for it, here it goes. Metasploit module can be found below.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2013-5036 to this issue. This is an entry on the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Analysis

The Squash API is intended for clients to submit details about exceptions and bugs. As a part of that, a YAML dump can be submitted. However before the patch, without supplying an API key, one could submit a YAML to the functions deobfuscation and sourcemap in app/controllers/api/v1_controller.rb.

def deobfuscation require_params :api_key, :environment, :build, :namespace map = YAML.load(Zlib::Inflate.inflate(Base64.decode64(params['namespace']))) return head(:unprocessable_entity) unless map.kind_of?(Squash::Java::Namespace) 1 2 3 4 5 def deobfuscation require_params : api_key , : environment , : build , : namespace map = YAML . load ( Zlib :: Inflate . inflate ( Base64 . decode64 ( params [ 'namespace' ] ) ) ) return head ( : unprocessable_entity ) unless map . kind_of ? ( Squash :: Java :: Namespace )

Note that the YAML load is not specified as using the safe load, which means we can exploit this by sending a YAML payload.

Proof of concept

Metasploit module