From 39e672f4207aa46c4c0c11e0ce21cbaa3ab45d71 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Sun, 2 Mar 2014 15:43:36 +0000 Subject: [PATCH] Fixed 2 RCE bugs in the DNS extension code (unsafe eval calls). --- extensions/dns/rest/dns.rb | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/extensions/dns/rest/dns.rb b/extensions/dns/rest/dns.rb index 3e65d908f..1bd4fe76d 100644 --- a/extensions/dns/rest/dns.rb +++ b/extensions/dns/rest/dns.rb @@ -71,12 +71,20 @@ module BeEF type = body['type'] response = body['response'] + valid_types = ["A", "AAAA", "CNAME", "HINFO", "MINFO", "MX", "NS", "PTR", "SOA", "TXT", "WKS"] + # Validate required JSON keys unless [pattern, type, response].include?(nil) # Determine whether 'pattern' is a String or Regexp begin - pattern_test = eval pattern - pattern = pattern_test if pattern_test.class == Regexp + # antisnatchor: UNSAFE EVAL!!! RCE + #pattern_test = eval pattern + #pattern = pattern_test if pattern_test.class == Regexp + + # if pattern is a Regexp, then create a new Regexp object + if %r{\A/(.*)/([mix]*)\z} =~ pattern + pattern = Regexp.new(pattern) + end rescue => e; end @@ -92,13 +100,15 @@ module BeEF raise InvalidJsonError, 'Empty "pattern" key passed to endpoint /api/dns/rule' end - unless BeEF::Filters.is_non_empty_string?(type) - raise InvalidJsonError, 'Empty "type" key passed to endpoint /api/dns/rule' + unless BeEF::Filters.is_non_empty_string?(type) && BeEF::Filters.alphanums_only?(type) && valid_types.include?(type) + raise InvalidJsonError, 'Wrong "type" key passed to endpoint /api/dns/rule' end id = '' block_src = format_response(type, response) + + # antisnatchor: would be unsafe eval, but I added 2 validations before (alpha-num only and list of valid types) type_obj = eval "Resolv::DNS::Resource::IN::#{type}" # Bypass #add_rule so that 'block_src' can be passed as a String