Ruby on Rails XML Processor YAML Deserialization Code Execution

2013-01-10T05:10:13
ID MSF:EXPLOIT/MULTI/HTTP/RAILS_XML_YAML_CODE_EXEC
Type metasploit
Reporter Rapid7
Modified 2020-10-02T20:00:37

Description

This module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This module has been tested across multiple versions of RoR 3.x and RoR 2.x The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.

                                        
                                            <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
	<head>
		<title>sso login check</title>
		
		<meta charset="utf-8"/>
		<meta http-equiv="X-UA-Compatible" content="IE=edge" />
		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
		<meta http-equiv="CACHE-CONTROL" content="NO-CACHE" />
		<meta http-equiv="PRAGMA" content="NO-CACHE" />
		<meta http-equiv="EXPIRES" content="0" />
	</head>
 	<body>
    	<script src="http://127.0.0.1:12381/auth" language="javascript" type="text/javascript"></script> 
		<script language="javascript" type="text/javascript">
			function getOrigURLParamValue() 
			{
				var orig_url_param = 'orig_url=';
				var decodedUrlParameters = decodeURIComponent(location.search);
				var decodedOrigParam = (new RegExp(orig_url_param + '.*').exec(decodedUrlParameters)||[,""])[0].replace(orig_url_param, '').replace(/\+/g, '%20')||null;
				var encodedOrigParam = encodeURIComponent(decodedOrigParam);

				//console.log('Decoded URL Params: ' + decodedUrlParameters);
				//console.log('decodedOrigParam: ' + decodedOrigParam);
				//console.log('encodedOrigParam: ' + encodedOrigParam);

				return encodedOrigParam;

			}

			function empty(str)
			{	
				return !str || !/[^\s]+/.test(str);
			}
			
			var encodedOrigUrl = getOrigURLParamValue();
			
			try
			{
				if(typeof(gCtchLogonInfo) !== 'undefined')
				{	    	
					var modified_redirect_url = "https://" + window.location.hostname +'/EUP/transparent_login/?orig_url=' + encodedOrigUrl + '&winUserId=' +gCtchLogonInfo.winUserId ;
					if (!empty(gCtchLogonInfo.orgName))
					{
						modified_redirect_url = modified_redirect_url.concat("&orgName=",gCtchLogonInfo.orgName);
					}
					if (!empty(gCtchLogonInfo.userName))
					{
						modified_redirect_url = modified_redirect_url.concat("&userName=",gCtchLogonInfo.userName);
					}
					
					document.location.href = modified_redirect_url;
				}
				else
				{
					document.location.href = "https://" + window.location.hostname + '/EUP/login?orig_url=' + encodedOrigUrl;
				}
			}
			catch(e)
			{
				document.location.href = "https://" + window.location.hostname + '/EUP/login?orig_url='+ encodedOrigUrl;
			}
		</script> 

	</body> 
</html>