ASA-2019-00130 – Ruby on Rails: Possible Remote Code Execution Exploit in Rails Development Mode

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00130

Identifier(s)

ASA-2019-00130, CVE-2019-5420

Title

Possible Remote Code Execution Exploit in Rails Development Mode

Vendor(s)

Ruby on Rails core team

Product(s)

Ruby on Rails

Affected version(s)

Ruby on Rails 6.0.0.X
Ruby on Rails 5.2.X

Fixed version(s)

Ruby on Rails 6.0.0.beta3
Ruby on Rails 5.2.2.1

Proof of concept

Yes

Description

With some knowledge of a target application it is possible for an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.

All users running an affected release should either upgrade or use one of the workarounds immediately.

This issue can be mitigated by specifying a secret key in development mode. In “config/environments/development.rb” add this:

config.secret_key_base = SecureRandom.hex(64)

Technical details

Unknown

Credits

ooooooo_q

Reference(s)

Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 have been released!
https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/

[CVE-2019-5420] Possible Remote Code Execution Exploit in Rails Development Mode
https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw

[CVE-2019-5420] Possible Remote Code Execution Exploit in Rails Development Mode
https://seclists.org/oss-sec/2019/q1/176

Zero Day Initiative – Remote Code Execution via Ruby on Rails Active Storage Insecure Deserialization
https://www.zerodayinitiative.com/blog/2019/6/20/remote-code-execution-via-ruby-on-rails-active-storage-insecure-deserialization

RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage)
https://hackerone.com/reports/473888

CVE-2019–5420 and defence-in-depth
https://blog.pentesterlab.com/cve-2019-5420-and-defence-in-depth-b502a64a80dd

CVE-2019-5420
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5420

CVE-2019-5420
https://nvd.nist.gov/vuln/detail/CVE-2019-5420

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 20, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.