A security flaw in Square’s open source project “Squash” was fixed silently by the developers June 24th, which I happened to have stumbled upon but not disclosed at the time. But since I couldn’t find an advisory for it, here it goes. Metasploit module can be found below.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2013-5036 to this issue. This is an entry on the CVE list (http://cve.mitre.org), which standardizes names for security problems.
The Squash API is intended for clients to submit details about exceptions and bugs. As a part of that, a YAML dump can be submitted. However before the patch, without supplying an API key, one could submit a YAML to the functions deobfuscation and sourcemap in app/controllers/api/v1_controller.rb.
require_params :api_key, :environment, :build, :namespace
map = YAML.load(Zlib::Inflate.inflate(Base64.decode64(params['namespace'])))
return head(:unprocessable_entity) unless map.kind_of?(Squash::Java::Namespace)
Note that the YAML load is not specified as using the safe load, which means we can exploit this by sending a YAML payload.
Proof of concept