Ruby on Rails remote code execution vulnerability analysis (CVE-2 0 1 6-0 7 5 2)-vulnerability warning-the black bar safety net

If your application uses a dynamic rendering path, such as render params[:id], and then unfortunately, the application currently by the presence of local file inclusion and lead to remote code execution vulnerabilities, please quickly move your Rails to update to the latest version, or for your controller to be reconstructed.
In this article we will demonstrate due to the Ruby on Rails framework defects caused by the attacker in some cases may be remote command execution scene.
Rails Controller design is based on the invoked method implicitly render the view file mode. For example, when the execution controller in the show method, if not explicitly stated to use the rendering mode, the frame will automatically implicitly invoke the show. html. erb file for page rendering.
However, in most cases, developers will be based on the file format, such as text, JSON, XML, or a completely different view of the files to decide to render different content, where said view file is similar to ERB, HTML AND the template language file.
There are many methods can be used to influence view of content, here we focus only on the render method. Rails the operation of the document lists several ways to call the render method, including by file: this option to explicitly specify a path to the file.
If you’ve already read the workaround in the document, and http://guides.rubyonrails.org/layouts_and_rendering.html but not sure you need such a function,then I tell you, you’re not the only one.
Let’s code:
def show
render params[:template]
end
At first glance the code is very simple, as you might guess this in the controller method’s role is to specify the parameter”template”as the value of rendering the template. It is unclear whether the Rails would be from where to find the specified template, it is in the view directory or in the application’s root directory or elsewhere? It needs to specify a template name or a specific file name or a complete file path? There are many in this category only by looking at the implementation details to solve the problem.
Related description
Dynamic rendering mechanism is a try in the same function to achieve too much function a typical example, and this is where the problem lies.
Assume that the rendering mechanism the expected behavior is to render the app/views/user/#{params[:template]}file–it seems to be a reasonable idea. If we the dashboard is assigned to the template, will make the application try to load app/views/user/dashboard. {ext}the template here. ext is any of the Ruby allows the extension 比如 .html and. haml and. html. erb, etc.
! [](/Article/UploadPic/2016-1/2 0 1 6 1 2 9 1 3 5 9 4 3 3 2 8. png? www. myhack58. com)
Imagine a user the…/admin/dashboard assign a value to the parameter template. The expected result is what? It seems very difficult to determine, but when we do so, when you can see the application throws a cannot find template error.
! [](/Article/UploadPic/2016-1/2 0 1 6 1 2 9 1 3 5 9 4 3 7 0 7. png? www. myhack58. com)
Analysis of the error above, you can find applications to try on multiple paths to find used to render content of the view, including the RAILS_ROOT/app/views, RAILS_ROOT, and the file system root directory. This is a bit confusing, why you want to from the system’s root directory to look for we need the template file?
Hack instinct prompting we will/etc/passwd assign a value to the parameter template, and then to confirm that we are able to read the passwd file content. At this time I and small partners are shocked.
! [](/Article/UploadPic/2016-1/2 0 1 6 1 2 9 1 3 5 9 4 3 5 6 5. png? www. myhack58. com)
If we are able to read the passwd file content, then we can read your app’s source code and configuration file content, such as config/initializers/secrettoken. rb file.
! [](/Article/UploadPic/2016-1/2 0 1 6 1 2 9 1 3 5 9 4 3 2 4 5. png? www. myhack58. com)
Don’t forget what caused this vulnerability, the fact is because you chose to dynamically set the template path.
def show
render params[:template]
end
Such a simple little present was enough for the attacker to read our source code and configuration file values, but unfortunately that’s not the worst part.
Just like Jeff Jarmoc of the paper“The Anatomy of a Rails Vulnerability – CVE-2 0 1 4-0 1 3 0: From Directory Traversal to Shell,”the http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf in that, we can use this vulnerability to obtain Rails application shell. Jeff’s thesis is mentioned in a similar because of the render mechanism of the problem caused by directory traversal, or more specifically, in some versions of Rails can lead to local file inclusion. In this article we focus on explicit rendering problems, this is a by the developer caused by the vulnerability.
The in-depth details before I noted that we need to focus on the vulnerability file contains instead of the directory traversal, the difference is we are loaded, execute the file ERB is different. Generally speaking directory traversal vulnerability will return a non-executable content, such as a CSV file. So, in essence, not only can we read the application source code and other system-readable file, we can also execute Ruby code. Be able to perform Ruby code, this also means that we may to the identity of the server to perform system-level command.
From file contains to code execution, we need to use a call log pollution techniques, and the log file tainting it. The Rails will be in the log file, such as development. log records each request for information, including parameters, etc., and Log File Storage the content is plaintext, so can be incorporated into Ruby code. The attacker can be through a request to the server parameters, together with valid Ruby code, to make these carefully constructed the Ruby code is recorded to a log file.
In the following example we are going toWeb serverinitiate a legitimate request, then in the configuration parameters added to the URL encoded value of the following:.
! [](/Article/UploadPic/2016-1/2 0 1 6 1 2 9 1 3 5 9 4 3 1 9 0. png? www. myhack58. com)
By looking at the log we can see that the request parameter values have to be URL decoded into a key-value pair, which is a period if the application calls it will execute the legal Ruby code.
! [](/Article/UploadPic/2016-1/2 0 1 6 1 2 9 1 3 5 9 4 3 1 4 3. png? www. myhack58. com)

[1] [2] next