Nmap Development mailing list archives
http-vuln-cve2013-0156: Detection of RCE in Ruby on Rails servers
From: Paulino Calderon <paulino () calderonpale com>
Date: Thu, 04 Apr 2013 18:46:01 -0600
Hi list, I know we are late to the party but still a very relevant vulnerability: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-vuln-cve2013-0156.nse description = [[Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)
All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script sends 3 harmless yaml payloads to detect vulnerable installations. If the malformed object receives a status 500 response, the server
is likely processing YAML objects and therefore vulnerable. References:* https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156', * https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ',
* http://cvedetails.com/cve/2013-0156/ TODO: * Add argument to exploit cmd exec vuln ]] --- -- @usage -- nmap -sV --script http-vuln-cve2013-0156 <target>-- nmap -sV --script http-vuln-cve2013-0156 --script-args uri="/test/" <target>
-- -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-vuln-cve2013-0156: -- | VULNERABLE:-- | Parameter parsing vulnerabilities in several versions of Ruby on Rails allow object injection, remote command execution and Denial Of Service attacks (CVE-2013-0156)
-- | State: VULNERABLE -- | Risk factor: High -- | Description:-- | All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable to object injection, remote command execution and denial of service attacks. -- | The attackers don't need to be authenticated to exploit these vulnerabilities.
-- | -- | References:-- | https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ -- | https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156
-- |_ http://cvedetails.com/cve/2013-0156/ -- -- @args http-vuln-cve2013-0156.uri Basepath URI (default: /). ---
Attachment:
http-vuln-cve2013-0156.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-vuln-cve2013-0156: Detection of RCE in Ruby on Rails servers Paulino Calderon (Apr 04)
- Re: http-vuln-cve2013-0156: Detection of RCE in Ruby on Rails servers David Fifield (Apr 24)
- Re: http-vuln-cve2013-0156: Detection of RCE in Ruby on Rails servers Paulino Calderon Pale (Apr 24)
- Re: http-vuln-cve2013-0156: Detection of RCE in Ruby on Rails servers David Fifield (Apr 24)