CVE-2017-16229

Vulnerability

In the Ox gem version 2.8.1 for Ruby, the read_from_str function in sax_buf.c contains a stack-based buffer over-read vulnerability [1]. When the SAX parser is invoked via Ox.sax_parse with a crafted XML input, the process crashes with a segmentation fault [1][3]. The issue was confirmed on Ruby 2.4.2p198 running on x86_64-linux [1].

Exploitation

An attacker must supply a specially crafted XML file to the SAX parser [1]. No authentication is required beyond the ability to provide the malicious input to the parser. The crash occurs during parsing when the read_from_str function reads beyond the bounds of a stack buffer, as demonstrated by the provided proof-of-concept script [1]. The crafted input is available via a Google Drive link in the issue report [1].

Impact

A successful trigger causes a segmentation fault, crashing the Ruby process [1]. This is a denial-of-service (DoS) condition. The processed crash output shows a fault at address 0x41414141, indicating controlled corruption, which could potentially be leveraged for arbitrary code execution, though the available references do not confirm exploitation beyond a crash [1][3].

Mitigation

As of the available references, no patch has been published for this vulnerability [1][2][3][4]. Users of the Ox gem 2.8.1 should monitor the official repository for a fix [2]. No workaround is provided in the disclosed information. The gem's maintainer has been notified via the GitHub issue tracker [1].