Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2013-0156

Disclosure Date: January 13, 2013
CVE-2013-0156
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeUnauthenticatedVulnerable in default configuration
Technical Analysis

This vulnerability is old now and targets old version of Rails. But if you face such an app it’s really easy to get RCE using an existing PoC. However, editing the YAML manually can be difficult because it’s very space sensitive.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
exploit/multi/http/rails_xml_yaml_code_exec
auxiliary/scanner/http/rails_xml_yaml_scanner
exploit/multi/http/rails_secret_deserialization
Reporter
Unknown

Vendors

  • debian,
  • rubyonrails

Products

  • debian linux 6.0,
  • debian linux 7.0,
  • rails,
  • ruby on rails

References

Canonical
CVE-2013-0156 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156)
Advisory
[rubyonrails-security] 20130108 Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156) (https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain)
http://rhn.redhat.com/errata/RHSA-2013-0155.html
VU#628463 (http://www.kb.cert.org/vuls/id/628463)
http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
VU#380039 (http://www.kb.cert.org/vuls/id/380039)
APPLE-SA-2013-03-14-1 (http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html)
DSA-2604 (http://www.debian.org/security/2013/dsa-2604)
http://rhn.redhat.com/errata/RHSA-2013-0154.html
https://puppet.com/security/cve/cve-2013-0156
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released
http://rhn.redhat.com/errata/RHSA-2013-0153.html
Exploit
https://gist.github.com/postmodern/4499206
Miscellaneous
http://www.insinuator.net/2013/01/rails-yaml
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
http://www.insinuator.net/2013/01/rails-yaml/
https://access.redhat.com/errata/RHSA-2013:0153
https://access.redhat.com/errata/RHSA-2013:0154
https://access.redhat.com/errata/RHSA-2013:0155
https://access.redhat.com/security/cve/CVE-2013-0156
https://bugzilla.redhat.com/show_bug.cgi?id=892870

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis