Type confusion in wrap_decimal leading to memory corruption

Disclosed: 2017-01-15 20:03:46 By raydot To shopify-scripts

Critical

Vulnerability Details

Decimal can be redefined, causing the Decimal class lookup in wrap_decimal to be invalid. This can lead to memory corruption or arbitrary code execution. The following snippet results in a native crash in mruby-engine olddecimal = Decimal.new(1) Decimal = Hash a = -olddecimal puts a I suspect you caught this along with charliesome's similar bug for Struct. If not I'll follow up with a patch and an RCE exploit.

Actions

View on HackerOne

Report Stats

Report ID: 185051
State: Closed
Substate: resolved
Upvotes: 35

Type confusion in wrap_decimal leading to memory corruption

Vulnerability Details

Actions

Report Stats

Share this report