search

mpgn / Rails-doubletap-RCE

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)
134 stars 33 forks source link

Unable to start demo app #2

Open romanianstrife opened 5 years ago

romanianstrife commented 5 years ago

I ran 

bundle install

then I got the error

 /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/application.rb:585:in `validate_secret_key_base': Missing `secret_key_base` for 'production' environment, set this string with `rails credentials:edit` (ArgumentError)

so I ran

rails credentials:edit

then I got the error

root@none:/var/www/Rails-doubletap-RCE/demo-5.2.1# rails s -b 0.0.0.0 -e production => Booting Puma => Rails 5.2.1 application starting in production => Run rails server -h for more startup options Exiting Traceback (most recent call last): 104: from bin/rails:4:in <main>' 103: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:287:inrequire' 102: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:253:in load_dependency' 101: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:287:inblock in require' 100: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:29:in require' 99: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:20:inrequire_with_bootsnap_lfi' 98: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/loaded_features_index.rb:83:in register' 97: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:21:inblock in require_with_bootsnap_lfi' 96: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:21:in require' 95: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/commands.rb:18:in

' 94: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/command.rb:46:in invoke' 93: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/command/base.rb:65:inperform' 92: from /usr/local/rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor.rb:387:in dispatch' 91: from /usr/local/rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/invocation.rb:126:ininvoke_command' 90: from /usr/local/rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/command.rb:27:in run' 89: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/commands/server/server_command.rb:142:inperform' 88: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/commands/server/server_command.rb:142:in tap' 87: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/commands/server/server_command.rb:147:inblock in perform' 86: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/commands/server/server_command.rb:53:in start' 85: from /usr/local/rvm/gems/ruby-2.5.1/gems/rack-2.0.6/lib/rack/server.rb:283:instart' 84: from /usr/local/rvm/gems/ruby-2.5.1/gems/rack-2.0.6/lib/rack/server.rb:354:in wrapped_app' 83: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/commands/server/server_command.rb:27:inapp' 82: from /usr/local/rvm/gems/ruby-2.5.1/gems/rack-2.0.6/lib/rack/server.rb:219:in app' 81: from /usr/local/rvm/gems/ruby-2.5.1/gems/rack-2.0.6/lib/rack/server.rb:319:inbuild_app_and_options_from_config' 80: from /usr/local/rvm/gems/ruby-2.5.1/gems/rack-2.0.6/lib/rack/builder.rb:40:in parse_file' 79: from /usr/local/rvm/gems/ruby-2.5.1/gems/rack-2.0.6/lib/rack/builder.rb:49:innew_from_string' 78: from /usr/local/rvm/gems/ruby-2.5.1/gems/rack-2.0.6/lib/rack/builder.rb:49:in eval' 77: from config.ru:in
' 76: from config.ru:in new' 75: from /usr/local/rvm/gems/ruby-2.5.1/gems/rack-2.0.6/lib/rack/builder.rb:55:ininitialize' 74: from /usr/local/rvm/gems/ruby-2.5.1/gems/rack-2.0.6/lib/rack/builder.rb:55:in instance_eval' 73: from config.ru:3:inblock in
' 72: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:44:in require_relative' 71: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:287:inrequire' 70: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:253:in load_dependency' 69: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:287:inblock in require' 68: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:29:in require' 67: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:20:inrequire_with_bootsnap_lfi' 66: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/loaded_features_index.rb:83:in register' 65: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:21:inblock in require_with_bootsnap_lfi' 64: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:21:in require' 63: from /var/www/Rails-doubletap-RCE/demo-5.2.1/config/environment.rb:5:in
' 62: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/application.rb:361:in initialize!' 61: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/initializable.rb:60:inrun_initializers' 60: from /usr/local/rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/tsort.rb:205:in tsort_each' 59: from /usr/local/rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/tsort.rb:226:intsort_each' 58: from /usr/local/rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/tsort.rb:347:in each_strongly_connected_component' 57: from /usr/local/rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/tsort.rb:347:incall' 56: from /usr/local/rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/tsort.rb:347:in each' 55: from /usr/local/rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/tsort.rb:349:inblock in each_strongly_connected_component' 54: from /usr/local/rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/tsort.rb:431:in each_strongly_connected_component_from' 53: from /usr/local/rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/tsort.rb:350:inblock (2 levels) in each_strongly_connected_component' 52: from /usr/local/rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/tsort.rb:228:in block in tsort_each' 51: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/initializable.rb:61:inblock in run_initializers' 50: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/initializable.rb:32:in run' 49: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/initializable.rb:32:ininstance_exec' 48: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/application/finisher.rb:69:in block in <module:Finisher>' 47: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/application/finisher.rb:69:ineach' 46: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/engine.rb:356:in eager_load!' 45: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/engine.rb:475:ineager_load!' 44: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/engine.rb:475:in each' 43: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/engine.rb:477:inblock in eager_load!' 42: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/engine.rb:477:in each' 41: from /usr/local/rvm/gems/ruby-2.5.1/gems/railties-5.2.1/lib/rails/engine.rb:478:inblock (2 levels) in eager_load!' 40: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:244:in require_dependency' 39: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/active_support.rb:82:independ_on' 38: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:330:in depend_on' 37: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/active_support.rb:47:inrequire_or_load' 36: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/active_support.rb:16:in allow_bootsnap_retry' 35: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/active_support.rb:48:inblock in require_or_load' 34: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:352:in require_or_load' 33: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:37:inload_interlock' 32: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies/interlock.rb:13:in loading' 31: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/concurrency/share_lock.rb:151:inexclusive' 30: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies/interlock.rb:14:in block in loading' 29: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:37:inblock in load_interlock' 28: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:369:in block in require_or_load' 27: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:471:inload_file' 26: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:657:in new_constants_in' 25: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/dependencies.rb:472:inblock in load_file' 24: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:50:in load' 23: from /usr/local/rvm/gems/ruby-2.5.1/gems/bootsnap-1.4.1/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:50:inload' 22: from /usr/local/rvm/gems/ruby-2.5.1/gems/activestorage-5.2.1/app/models/active_storage/blob.rb:16:in <main>' 21: from /usr/local/rvm/gems/ruby-2.5.1/gems/activestorage-5.2.1/app/models/active_storage/blob.rb:206:in' 20: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/lazy_load_hooks.rb:51:in run_load_hooks' 19: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/lazy_load_hooks.rb:51:ineach' 18: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/lazy_load_hooks.rb:52:in block in run_load_hooks' 17: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/lazy_load_hooks.rb:67:inexecute_hook' 16: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/lazy_load_hooks.rb:62:in with_execution_control' 15: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/lazy_load_hooks.rb:71:inblock in execute_hook' 14: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/lazy_load_hooks.rb:71:in instance_eval' 13: from /usr/local/rvm/gems/ruby-2.5.1/gems/activestorage-5.2.1/lib/active_storage/engine.rb:81:inblock (2 levels) in ' 12: from /usr/local/rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/erb.rb:876:in result' 11: from /usr/local/rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/erb.rb:876:ineval' 10: from (erb):12:in <main>' 9: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/core_ext/module/delegation.rb:271:inmethod_missing' 8: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/encrypted_configuration.rb:38:in options' 7: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/encrypted_configuration.rb:33:inconfig' 6: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/encrypted_configuration.rb:21:in read' 5: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/encrypted_file.rb:42:inread' 4: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/encrypted_file.rb:79:in decrypt' 3: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/messages/rotator.rb:21:indecrypt_and_verify' 2: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/message_encryptor.rb:157:in decrypt_and_verify' 1: from /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/message_encryptor.rb:183:in_decrypt' /usr/local/rvm/gems/ruby-2.5.1/gems/activesupport-5.2.1/lib/active_support/message_encryptor.rb:206:in `rescue in _decrypt': ActiveSupport::MessageEncryptor::InvalidMessage (ActiveSupport::MessageEncryptor::InvalidMessage)

romanianstrife commented 5 years ago

Any idea on how I can get this demo app to run?

mpgn commented 5 years ago

Try this: https://github.com/rails/rails/issues/31397#issuecomment-387561117

romanianstrife commented 5 years ago

Now I am getting

/usr/local/rvm/gems/ruby-2.5.1/gems/execjs-2.7.0/lib/execjs/runtimes.rb:58:in `autodetect': Could not find a JavaScript runtime. See https://github.com/rails/execjs for a list of available runtimes. (ExecJS::RuntimeUnavailable)

and I already went there and installed therubyracer

any ideas?

tijldeneut commented 5 years ago

FYI, full installation based on current commit (tested on Debian 9/10/Kali):

apt update && apt install -y git curl curl -sSL https://get.rvm.io -o rvm.sh && bash rvm.sh && source /etc/profile.d/rvm.sh rvm install ruby-2.5.1 git clone https://github.com/mpgn/Rails-doubletap-RCE && cd Rails-doubletap-RCE/demo-5.2.1 sed -i "s/# gem 'mini_racer/gem 'mini_racer/g" Gemfile bundle install rm config/credentials.yml.enc && EDITOR=vi rails credentials:edit ## --> Just save & exit 'ZZ' rails s -b 0.0.0.0 -e production

tijldeneut commented 5 years ago

And to make the exploit work, change the IP address & port and run this to bypass proxy requirement: sed -i "s/, $proxy_addr, $proxy_port//g" exploit.rb