Ruby 3.4 Universal RCE Deserialization Gadget Chain / nastystereo.com
In a blog post from 2018 I shared the first universal gadget chain to exploit Ruby deserialzation. There have been many new versions of Ruby since then, sometimes including code changes that break published gadget chains. So far, the breaks have only ever been temporary, with the infosec community releasing new gadget chains as needed.
While I did not find a gadget to load the standard URI module, I found that RubyGems includes a vendored copy of URI under Gem::URI that is suitable. Although also not available by default, it can become loaded through deserialization as Gem::SpecFetcher is registered for autoloading, which loads Gem::RemoteFetcher which loads Gem::Request which loads Gem::Net which finally loads Gem::URI.
Instead of ending the gadget chain with executing the zip binary with a malicious argument, rake or make are better candidates. They are installed by default in the official ruby Docker images and rake is in the top 10 most downloaded Ruby dependencies. They both also meet the requirement of executing arbitrary commands with control over ARGV[2] but not ARGV[1] (thanks GTFOBins).
The next improvement was to avoid the exception being raised after executing the gadget chain. The exception comes from the start of the gadget chain being a Gem::Version object. While Gem::Version is useful as it calls the to_s method on an arbitrary object, unfortunately it also performs a strict regular expression match against the value returned by the to_s method.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25729619/247382_Apple_iMac_M4_NEdwards_0005.jpg)
