Ruby Marshal

Ruby Marshal is Ruby's native serialization mechanism. Like Python's pickle, it can execute arbitrary code during deserialization through gadget chains, making it dangerous for untrusted input.

The Danger

# Marshal can invoke methods during deserialization
# Gadget chains abuse existing Ruby classes

# ERB template execution gadget
require 'erb'
template = ERB.new("<%= system('id') %>")
payload = Marshal.dump(template)

# When victim deserializes:
Marshal.load(payload)  # Could execute code if result.run called

Rails Cookie Deserialization

Older Rails versions used Marshal for session cookies:

# Rails secret key allows forging cookies
# With known secret_key_base:

# 1. Create malicious object
# 2. Marshal.dump()
# 3. Sign with secret key
# 4. Send cookie to victim app
# 5. App deserializes → RCE

Known Gadget Chains

• ERB: Template execution
• Gem::Requirement: Universal gadget
• Gem::DependencyList: Another approach
• Various CVEs in Rails versions

Prevention

• Don't Marshal.load untrusted data
• Use JSON for external data
• Rails 4.1+: Use JSON serializer for cookies
• Keep secret_key_base truly secret
• Update Rails regularly

PentesterLab Exercises

• Ruby Deserialization

See Also

• Insecure Deserialization
• Gadget Chain
• Rails Session Serialization