Nmap Development mailing list archives

http-vuln-cve2013-0156: Detection of RCE in Ruby on Rails servers

From: Paulino Calderon <paulino () calderonpale com>
Date: Thu, 04 Apr 2013 18:46:01 -0600

Hi list,

I know we are late to the party but still a very relevant vulnerability:
https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-vuln-cve2013-0156.nse

description = [[

Detects Ruby on Rails servers vulnerable to object injection, remotecommand executions and denial of service attacks. (CVE-2013-0156)

All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.xbefore 3.1.10, and 3.2.x before 3.2.11 are vulnerable. This scriptsends 3 harmless yaml payloads to detect vulnerable installations. Ifthe malformed object receives a status 500 response, the server

is likely processing YAML objects and therefore vulnerable.

References:

*https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156',*https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ',

* http://cvedetails.com/cve/2013-0156/

TODO:
* Add argument to exploit cmd exec vuln
]]

---
-- @usage
-- nmap -sV --script http-vuln-cve2013-0156 <target>

-- nmap -sV --script http-vuln-cve2013-0156 --script-args uri="/test/"<target>

--
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-vuln-cve2013-0156:
-- |   VULNERABLE:

-- | Parameter parsing vulnerabilities in several versions of Ruby onRails allow object injection, remote command execution and Denial OfService attacks (CVE-2013-0156)

-- |     State: VULNERABLE
-- |     Risk factor: High
-- |     Description:

-- | All Ruby on Rails versions before 2.3.15, 3.0.x before3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable toobject injection, remote command execution and denial of service attacks.-- | The attackers don't need to be authenticated to exploit thesevulnerabilities.

-- |
-- |     References:

-- |https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ-- |https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156

-- |_      http://cvedetails.com/cve/2013-0156/
--
-- @args http-vuln-cve2013-0156.uri Basepath URI (default: /).
---

Attachment: http-vuln-cve2013-0156.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

http-vuln-cve2013-0156: Detection of RCE in Ruby on Rails servers Paulino Calderon (Apr 04)
- Re: http-vuln-cve2013-0156: Detection of RCE in Ruby on Rails servers David Fifield (Apr 24)
  - Re: http-vuln-cve2013-0156: Detection of RCE in Ruby on Rails servers Paulino Calderon Pale (Apr 24)