{"id":59357,"date":"2024-09-01T20:29:44","date_gmt":"2024-09-01T17:29:44","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181172\/rails_json_yaml_scanner.rb.txt"},"modified":"2024-09-01T20:29:44","modified_gmt":"2024-09-01T17:29:44","slug":"ruby-on-rails-json-processor-yaml-deserialization-scanner","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/ruby-on-rails-json-processor-yaml-deserialization-scanner\/","title":{"rendered":"Ruby On Rails JSON Processor YAML Deserialization Scanner"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner<\/p>\n

def initialize(info={})
super(update_info(info,
‘Name’ => ‘Ruby on Rails JSON Processor YAML Deserialization Scanner’,
‘Description’ => %q{
This module attempts to identify Ruby on Rails instances vulnerable to
an arbitrary object instantiation flaw in the JSON request processor.
},
‘Author’ =>
[
‘jjarmoc’, # scanner module
‘hdm’ # CVE-2013-0156 scanner, basis of this technique.
],
‘License’ => MSF_LICENSE,
‘References’ =>
[
[‘CVE’, ‘2013-0333’]]))<\/p>\n

register_options([
OptString.new(‘TARGETURI’, [true, “The URI to test”, “\/”]),
OptEnum.new(‘HTTP_METHOD’, [true, ‘HTTP Method’, ‘POST’, [‘GET’, ‘POST’, ‘PUT’]]),
])
end<\/p>\n

def send_probe(pdata)
res = send_request_cgi({
‘uri’ => normalize_uri(datastore[‘TARGETURI’]),
‘method’ => datastore[‘HTTP_METHOD’],
‘ctype’ => ‘application\/json’,
‘data’ => pdata
})
end<\/p>\n

def run_host(ip)<\/p>\n

# Straight JSON as a baseline
res1 = send_probe(
“{ \\”#{Rex::Text.rand_text_alpha(rand(8)+1)}\\” : \\”#{Rex::Text.rand_text_alpha(rand(8)+1)}\\” }”
)<\/p>\n

unless res1
vprint_status(“#{rhost}:#{rport} No reply to the initial JSON request”)
return
end<\/p>\n

if res1.code.to_s =~ \/^[5]\/
vprint_error(“#{rhost}:#{rport} The server replied with #{res1.code} for our initial JSON request, double check TARGETURI and HTTP_METHOD”)
return
end<\/p>\n

# Deserialize a hash, this should work if YAML deserializes.
res2 = send_probe(“— {}\\n”.gsub(‘:’, ‘\\u003a’))<\/p>\n

unless res2
vprint_status(“#{rhost}:#{rport} No reply to the initial YAML probe”)
return
end<\/p>\n

# Deserialize a malformed object, inducing an error.
res3 = send_probe(“— !ruby\/object:\\x00”.gsub(‘:’, ‘\\u003a’))<\/p>\n

unless res3
vprint_status(“#{rhost}:#{rport} No reply to the second YAML probe”)
return
end<\/p>\n

vprint_status(“Probe response codes: #{res1.code} \/ #{res2.code} \/ #{res3.code}”)<\/p>\n

if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200)
# If first and second requests are the same, and the third is different but not a 200, we’re vulnerable.
print_good(“#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML”)
report_vuln({
:host => rhost,
:port => rport,
:proto => ‘tcp’,
:name => self.name,
:info => “Module triggered a #{res3.code} reply”,
:refs => self.references
})
else
# Otherwise we’re not likely vulnerable.
vprint_status(“#{rhost}:#{rport} is not likely to be vulnerable or TARGETURI & HTTP_METHOD must be set”)
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Scanner def initialize(info={})super(update_info(info,‘Name’ => ‘Ruby on Rails JSON Processor YAML Deserialization Scanner’,‘Description’ => %q{This module attempts to identify Ruby on Rails instances vulnerable toan arbitrary object instantiation flaw in the JSON request processor.},‘Author’ =>[‘jjarmoc’, # scanner module‘hdm’ # CVE-2013-0156 scanner, basis …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59357","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59357","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59357"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59357\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}