Rails 5.2 Generate Secret Key Base

Apr 15, 2019  These are the key difference of the credentials management between Rails 5.2 and previous versions: Before Rails 5.2 secretkeybase was located in config/secrets.yml.

Rails
  • Rails 5.2 で新しく rails new.
  • Oct 10, 2019 aws: accesskeyid: 123 secretaccesskey: 345 github: appid: 123 appsecret: 345 secretkeybase: When we save it, it encrypts again using the same master key. If default editor is not set and we haven’t specified the editor, then we get the following message: $ rails credentials:edit No $ EDITOR to open file in.

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)

Rails 5.2 Generate Secret Key BaseSecret key pokemon

Technical Analysis:

  • CVE-2019-5418 - https://github.com/mpgn/CVE-2019-5418
  • CVE-2019-5420 - https://hackerone.com/reports/473888

Security Adivsory:

  • CVE-2019-5418 - https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
  • CVE-2019-5420 - https://groups.google.com/forum/#!searchin/rubyonrails-security/CVE-2019-5420

Exploit

Rails 5.2 Generate Secret Key Base Code

  1. The exploit check if the Rails application is vulnerable to the CVE-2019-5418
  2. Then gets the content of the files: credentials.yml.enc and master.key
  3. Decrypt the credentials.yml.enc and get the secret_key_base value
  4. Craft a request to the ressource /rails/active_storage/disk/:encoded_key/*filename(.:format) => CVE-2019-5420
  5. Send the request to the vulnerable server
  6. The code is executed on the server

Mitigations

  • You may notice the cache level is disabled on the exploit, but you can use a race condition to retrieve the two files: https://gist.github.com/snyff/04c3463845480632a1fe192308c31439#file-race_condition-sh

Fix of CVE-2019-5420

Rails 5.2 Generate Secret Key Base Free

Fix of CVE-2019-5418