Reproducution and demonistration of CVE-2019-5418

mediumZoom(‘[data-zoomable]’)

introduction:

There is a File Content Disclosure vulnerability in Action View affecting Rails versions 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents. The impact is limited to calls to render which render file contents without a specified accept format.

What is Rails?

Ruby on Rails, or Rails, is a server-side web application framework written in Ruby that uses the model–view–controller (MVC) structure pattern, providing default structures for a database, a web service, and web pages. MVC.png

Rails is used to build full web applications like (Basecamp, GitHub, Shopify, Airbnb, Twitch, SoundCloud, Hulu, Zendesk, Square, Cookpad.)

Path Traversal:

This vulnerability is a path traversal vulnerability (OWASP Top 10: A5:2017-Broken Access Control) A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with dot-dot-slash ../ sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).

This attack is also known as “dot-dot-slash,” “directory traversal,” “directory climbing” and “backtracking.” source: OWASP Path Traversal

reproducing:

To demonstrate the vulnerability, i bult a Ruby on Rails site: bandit.bad3r.xyz you can clone my site and run it locally by installing Ruby on Rails then cloning my repo Bad3r/RailRoadBandit Digital Ocean has an excellent guide to get you started make sure to install a vulnerable Rails e.g 5.2.1: How To Install Ruby on Rails with rbenv on Ubuntu 18.04 you can also create your demo manually by editing the default application controller in <web root folder>/app/controllers/application_controller.rb

open the file and add a call to render file:

class ApplicationController < ActionController::Base
    def index
        render file:  "#{Rails.root}/public/bandit/bandit.html"
    end
end

here am just rendering an HTML file but you can also render any text file. then edit the route file located in <web root folder>/config/routes.rb to add a route for the controller:

Rails.application.routes.draw do
    get 'application/index' => 'application#index'
    root 'application#index'
end

that’s all you need to follow this demo. you should check if the file is rendered correctly and the route.rb config is correct.

Exploiting the vulnerability

the script used in the demo is available in my GitHub repo Bad3r/RailRoadBandit run the script using the format:

┌ ~/RailroadBandit
└> % python3 Bandit.py http://bandit.bad3r.xyz/

then you will see a menu of builtin options to view some sensitive data:

└> % python3 Bandit.py http://bandit.bad3r.xyz/

    ----------------------------------------------
    Arbitrary Traversal exploit for Ruby on Rails
                     CVE-2019-5418
    ----------------------------------------------


             Enter an option or a file path (enter quit or q to exit)

             enter 1 for /etc/passwd 

             enter 2 for /proc/cpuinfo 

             enter 3 for bash history 

             enter 4 to brute force:

you can use one of the builtin options or give the path for the file manually example: ../../../../../../../../../etc/passwd

here we use ../ for directory traversal, the result is: etc_password.png

am working on adding more features to the script like brute forcing the web root directory name.

Ruby on Rails sensitive files

there is some important files in ruby on rails that can also reveal sensitive information like:

File Description
/config/database.yml May contain production credentials
/config/initializers/secret_token.rb Contains a secret used to hash session cookie
db/seeds.rb May contain seed data including bootstrap admin user
/db/development.sqlite3 May contain the SQL database

Patch

https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715 path_bandit.jpg