Exploit in Rails Development Mode. With some knowledge of a target application it is possible for an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.# CVE-2019-5420 PoC
A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit. This PoC code for CVE-2019-5420 escalates the privileges to admin account without the remote code execution itself.
# How to use
Copy the value of the cookie and replace it with "VALUE_OF_THE_COOKIE" at line 11:
`cookie = CGI.unescape "VALUE_OF_THE_COOKIE" # put in the value of your cookie here`
Furthermore, replace "NAME::Application" with the name of your application. For example, if the applications name is "test", it would be "test::Application":
`secret = Digest::MD5.hexdigest("NAME::Application") # the name of the ruby on rails application, either bruteforce or have to be known directly`
Run the exploit and copy the output of the cookie. Replace it with the cookie of the web application:
`ruby CVE-2019-5420.rb`
[4.0K] /data/pocs/e42a4846bde4b3dbecf049fdc6d2bd4c64d8afed
├── [1.2K] CVE-2019-5420.rb
└── [1.0K] README.md
0 directories, 2 files