Rapid7 VulnDB

Ruby on Rails Known Secret Session Cookie Remote Code Execution

Back to Search

Ruby on Rails Known Secret Session Cookie Remote Code Execution

Disclosed
04/11/2013
Created
05/30/2018

Description

This module implements Remote Command Execution on Ruby on Rails applications. Prerequisite is knowledge of the "secret_token" (Rails 2/3) or "secret_key_base" (Rails 4). The values for those can be usually found in the file "RAILS_ROOT/config/initializers/secret_token.rb". The module achieves RCE by deserialization of a crafted Ruby Object.

Author(s)

  • joernchen of Phenoelit <joernchen@phenoelit.de>

Platform

Ruby

Architectures

ruby

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/rails_secret_deserialization
msf exploit(rails_secret_deserialization) > show targets
    ...targets...
msf exploit(rails_secret_deserialization) > set TARGET < target-id >
msf exploit(rails_secret_deserialization) > show options
    ...show and set options...
msf exploit(rails_secret_deserialization) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;