Vulners
Lucene search
Ruby On Rails XML Processor YAML Deserialization Scanner
🗓️ 01 Sep 2024 00:00:00Reported by H D Moore, jjarmoc, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 197 Views
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'Ruby on Rails XML Processor YAML Deserialization Scanner',
'Description' => %q{
This module attempts to identify Ruby on Rails instances vulnerable to
an arbitrary object instantiation flaw in the XML request processor.
},
'Author' => [
'hdm', # author
'jjarmoc' # improvements
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-0156'],
['URL', 'https://www.rapid7.com/blog/post/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156/']
]
))
register_options([
OptString.new('URIPATH', [true, "The URI to test", "/"]),
OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]),
])
end
def send_probe(ptype, pdata)
odata = %Q^<?xml version="1.0" encoding="UTF-8"?>\n<probe type="#{ptype}"><![CDATA[\n#{pdata}\n]]></probe>^
res = send_request_cgi({
'uri' => datastore['URIPATH'] || "/",
'method' => datastore['HTTP_METHOD'],
'ctype' => 'application/xml',
'data' => odata
}, 25)
end
def run_host(ip)
res1 = send_probe("string", "hello")
unless res1
vprint_status("#{rhost}:#{rport} No reply to the initial XML request")
return
end
if res1.code.to_s =~ /^[5]/
vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH")
return
end
res2 = send_probe("yaml", "--- !ruby/object:Time {}\n")
unless res2
vprint_status("#{rhost}:#{rport} No reply to the initial YAML probe")
return
end
res3 = send_probe("yaml", "--- !ruby/object:\x00")
unless res3
vprint_status("#{rhost}:#{rport} No reply to the second YAML probe")
return
end
vprint_status("Probe response codes: #{res1.code} / #{res2.code} / #{res3.code}")
if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200)
print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML")
report_vuln({
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => self.name,
:info => "Module triggered a #{res3.code} reply",
:refs => self.references
})
else
vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH & HTTP_METHOD must be set")
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
EPSS0.91907