diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 07:42:04 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 07:42:04 +0000 |
commit | 0d47952611198ef6b1163f366dc03922d20b1475 (patch) | |
tree | 3d840a3b8c0daef0754707bfb9f5e873b6b1ac13 /scripts/http-vuln-cve2013-0156.nse | |
parent | Initial commit. (diff) | |
download | nmap-upstream.tar.xz nmap-upstream.zip |
Adding upstream version 7.94+git20230807.3be01efb1+dfsg.upstream/7.94+git20230807.3be01efb1+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'scripts/http-vuln-cve2013-0156.nse')
-rw-r--r-- | scripts/http-vuln-cve2013-0156.nse | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/scripts/http-vuln-cve2013-0156.nse b/scripts/http-vuln-cve2013-0156.nse new file mode 100644 index 0000000..e112dec --- /dev/null +++ b/scripts/http-vuln-cve2013-0156.nse @@ -0,0 +1,123 @@ +description = [[ +Detects Ruby on Rails servers vulnerable to object injection, remote command +executions and denial of service attacks. (CVE-2013-0156) + +All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before +3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script sends 3 harmless +YAML payloads to detect vulnerable installations. If the malformed object +receives a status 500 response, the server is processing YAML objects and +therefore is likely vulnerable. + +References: +* https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156', +* https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ', +* http://cvedetails.com/cve/2013-0156/ +]] + +--- +-- @usage +-- nmap -sV --script http-vuln-cve2013-0156 <target> +-- nmap -sV --script http-vuln-cve2013-0156 --script-args uri="/test/" <target> +-- +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-vuln-cve2013-0156: +-- | VULNERABLE: +-- | Parameter parsing vulnerabilities in several versions of Ruby on Rails allow object injection, remote command execution and Denial Of Service attacks (CVE-2013-0156) +-- | State: VULNERABLE +-- | Risk factor: High +-- | Description: +-- | All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable to object injection, remote command execution and denial of service attacks. +-- | The attackers don't need to be authenticated to exploit these vulnerabilities. +-- | +-- | References: +-- | https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ +-- | https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156 +-- |_ http://cvedetails.com/cve/2013-0156/ +-- +-- @args http-vuln-cve2013-0156.uri Basepath URI (default: /). +--- + +-- TODO: +-- * Add argument to exploit cmd exec vuln + +author = "Paulino Calderon <calderon@websec.mx>" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"exploit","vuln"} + +local http = require "http" +local shortport = require "shortport" +local stdnse = require "stdnse" +local vulns = require "vulns" + +portrule = shortport.http + +local PAYLOAD_OK = [=[<?xml version="1.0" encoding="UTF-8"?> +<probe type="string"><![CDATA[ +nmap +]]></probe>]=] + +local PAYLOAD_TIME = [=[<?xml version="1.0" encoding="UTF-8"?> +<probe type="yaml"><![CDATA[ +--- !ruby/object:Time {} + +]]></probe>]=] + +local PAYLOAD_MALFORMED = [=[<?xml version="1.0" encoding="UTF-8"?> +<probe type="yaml"><![CDATA[ +--- !ruby/object:^@ +]]></probe> +]=] + +--- +--detect(host, port, uri) +--Sends 3 payloads where one of them is malformed. Status 500 indicates that yaml parsing is enabled. +--- +local function detect(host, port, uri) + local opts = {header={}} + opts["header"]["Content-type"] = 'application/xml' + + local req_ok = http.post(host, port, uri, opts, nil, PAYLOAD_OK) + local req_time = http.post(host, port, uri, opts, nil, PAYLOAD_TIME) + stdnse.debug2("First request returned status %d. Second request returned status %d", req_ok.status, req_time.status) + if req_ok.status == 200 and req_time.status == 200 then + local req_malformed = http.post(host, port, uri, opts, nil, PAYLOAD_MALFORMED) + stdnse.debug2("Malformed request returned status %d", req_malformed.status) + if req_malformed.status == 500 then + return true + end + end + + return false +end + +--- +--MAIN +action = function(host, port) + local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/" + local vuln_table = { + title = "Parameter parsing vulnerabilities in several versions of Ruby on Rails allow object injection, remote command execution and Denial Of Service attacks (CVE-2013-0156)", + state = vulns.STATE.NOT_VULN, + risk_factor = "High", + description = [[ +All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable to object injection, remote command execution and denial of service attacks. +The attackers don't need to be authenticated to exploit these vulnerabilities. +]], + + references = { + 'https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156', + 'https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ', + 'http://cvedetails.com/cve/2013-0156/', + } + } + + if detect(host,port,uri) then + stdnse.debug1("Received status 500 as expected in vulnerable installations. Marking as vulnerable...") + vuln_table.state = vulns.STATE.VULN + local report = vulns.Report:new(SCRIPT_NAME, host, port) + return report:make_output(vuln_table) + end + + return nil +end |