Apr 15, 2019 These are the key difference of the credentials management between Rails 5.2 and previous versions: Before Rails 5.2 secretkeybase was located in config/secrets.yml.
- Rails 5.2 で新しく rails new.
- Oct 10, 2019 aws: accesskeyid: 123 secretaccesskey: 345 github: appid: 123 appsecret: 345 secretkeybase: When we save it, it encrypts again using the same master key. If default editor is not set and we haven’t specified the editor, then we get the following message: $ rails credentials:edit No $ EDITOR to open file in.
RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)
Technical Analysis:
- CVE-2019-5418 - https://github.com/mpgn/CVE-2019-5418
- CVE-2019-5420 - https://hackerone.com/reports/473888
Security Adivsory:
- CVE-2019-5418 - https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
- CVE-2019-5420 - https://groups.google.com/forum/#!searchin/rubyonrails-security/CVE-2019-5420
Exploit
Rails 5.2 Generate Secret Key Base Code
- The exploit check if the Rails application is vulnerable to the CVE-2019-5418
- Then gets the content of the files:
credentials.yml.enc
andmaster.key
- Decrypt the credentials.yml.enc and get the secret_key_base value
- Craft a request to the ressource
/rails/active_storage/disk/:encoded_key/*filename(.:format)
=> CVE-2019-5420 - Send the request to the vulnerable server
- The code is executed on the server
Mitigations
- You may notice the cache level is disabled on the exploit, but you can use a race condition to retrieve the two files: https://gist.github.com/snyff/04c3463845480632a1fe192308c31439#file-race_condition-sh
Fix of CVE-2019-5420
Rails 5.2 Generate Secret Key Base Free
Fix of CVE-2019-5418