module
Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability
| Disclosed | Created |
|---|---|
| 2019-03-13 | 2019-05-01 |
Disclosed
2019-03-13
Created
2019-05-01
Description
This module exploits a vulnerability in Ruby on Rails. In development mode, a Rails
application would use its name as the secret_key_base, and can be easily extracted by
visiting an invalid resource for a path. As a result, this allows a remote user to
create and deliver a signed serialized payload, load it by the application, and gain
remote code execution.
application would use its name as the secret_key_base, and can be easily extracted by
visiting an invalid resource for a path. As a result, this allows a remote user to
create and deliver a signed serialized payload, load it by the application, and gain
remote code execution.
Authors
ooooooo_q
mpgn
sinn3r sinn3r@metasploit.com
mpgn
sinn3r sinn3r@metasploit.com
Platform
Linux
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.