Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2013-0156

Published: 13/01/2013 Updated: 13/02/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 873
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Ruby On Rails

Vulnerability Summary

active_support/core_ext/hash/conversions.rb in Ruby on Rails prior to 2.3.15, 3.0.x prior to 3.0.19, 3.1.x prior to 3.1.10, and 3.2.x prior to 3.2.11 does not properly restrict casts of string values, which allows remote malicious users to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

rubyonrails ruby on rails

rubyonrails rails

debian debian linux 7.0

debian debian linux 6.0

Vendor Advisories

Red Hat: Critical: Ruby on Rails security update
Synopsis Critical: Ruby on Rails security update Type/Severity Security Advisory: Critical Topic Updated rubygem-actionpack, rubygem-activesupport, and rubygem-activerecordpackages that fix multiple security issues are now available for Red HatSubscription Asset ManagerThe Red Hat Security Response Team ha ...
Red Hat: Critical: Ruby on Rails security update
Synopsis Critical: Ruby on Rails security update Type/Severity Security Advisory: Critical Topic Updated rubygem-actionpack, rubygem-activesupport,ruby193-rubygem-actionpack, and ruby193-rubygem-activesupport packages thatfix multiple security issues are now available for Red Hat OpenShiftEnterprise 10The ...
Debian CVElist Bug Report Logs: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-1802)
Debian Bug report logs - #697895 Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-1802) Package: libextlib-ruby; Maintainer for libextlib-ruby is Bryan McLellan <btm@loftninjasorg>; Source for libextlib-ruby is src:ruby-extlib (PTS, buildd, popcon) Reported by: Joshua Timberman <joshua@opscodecom&gt ...
Debian CVElist Bug Report Logs: rails: CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack
Debian Bug report logs - #697722 rails: CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rails is src:rails (PTS, buildd, popcon) Reported by: Henri Salo <henr ...

Exploits

Exploit DB: Ruby on Rails JSON Processor YAML Deserialization Code Execution
This Metasploit module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application This vulnerability is very similar to CVE ...
Exploit DB: Ruby on Rails - Known Secret Session Cookie Remote Code Execution (Metasploit)
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking #Helper Classes co ...
Exploit DB: Ruby on Rails - XML Processor YAML Deserialization Code Execution (Metasploit)
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit ...
Exploit DB: Ruby on Rails JSON Processor YAML Deserialization Code Execution
This module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application This vulnerability i ...
Exploit DB: Ruby on Rails JSON Processor YAML Deserialization Code Execution
This module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application This vulnerability i ...

Nmap Scripts

http-vuln-cve2013-0156

Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)

nmap -sV --script http-vuln-cve2013-0156 <target>
nmap -sV --script http-vuln-cve2013-0156 --script-args uri="/test/" <target>

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2013-0156:
|   VULNERABLE:
|   Parameter parsing vulnerabilities in several versions of Ruby on Rails allow object injection, remote command execution and Denial Of Service attacks (CVE-2013-0156)
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable to object injection, remote command execution and denial of service attacks.
|       The attackers don't need to be authenticated to exploit these vulnerabilities.
|
|     References:
|       https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ
|       https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156
|_      http://cvedetails.com/cve/2013-0156/
http-vuln-cve2013-0156

Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)

nmap -sV --script http-vuln-cve2013-0156 <target>
nmap -sV --script http-vuln-cve2013-0156 --script-args uri="/test/" <target>

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2013-0156:
|   VULNERABLE:
|   Parameter parsing vulnerabilities in several versions of Ruby on Rails allow object injection, remote command execution and Denial Of Service attacks (CVE-2013-0156)
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable to object injection, remote command execution and denial of service attacks.
|       The attackers don't need to be authenticated to exploit these vulnerabilities.
|
|     References:
|       https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ
|       https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156
|_      http://cvedetails.com/cve/2013-0156/

Metasploit Modules

Ruby on Rails JSON Processor YAML Deserialization Code Execution

This module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This vulnerability is very similar to CVE-2013-0156. This module has been tested successfully on RoR 3.0.9, 3.0.19, and 2.3.15. The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.

msf > use exploit/multi/http/rails_json_yaml_code_exec
msf exploit(rails_json_yaml_code_exec) > show targets
    ...targets...
msf exploit(rails_json_yaml_code_exec) > set TARGET < target-id >
msf exploit(rails_json_yaml_code_exec) > show options
    ...show and set options...
msf exploit(rails_json_yaml_code_exec) > exploit
Ruby on Rails JSON Processor YAML Deserialization Code Execution

This module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This vulnerability is very similar to CVE-2013-0156. This module has been tested successfully on RoR 3.0.9, 3.0.19, and 2.3.15. The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.

msf > use exploit/multi/http/rails_json_yaml_code_exec
msf exploit(rails_json_yaml_code_exec) > show targets
    ...targets...
msf exploit(rails_json_yaml_code_exec) > set TARGET < target-id >
msf exploit(rails_json_yaml_code_exec) > show options
    ...show and set options...
msf exploit(rails_json_yaml_code_exec) > exploit

Github Repositories

https://github.com/heroku/heroku-CVE-2013-0156

Inspect all of your heroku apps to see if they are running a vulnerable version of Rails

heroku-CVE-2013-0156 This vulnerability has been supplanted by CVE-2013-0333 See groupsgooglecom/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo for more details A replacement for this script, covering CVE-2013-0333, can be found at githubcom/heroku/heroku-CVE-2013-0333

https://github.com/Locale/localeapp

Send and retrieve your ruby i18n localizations to the Locale translation service

Locale The localeapp gem connects your Rails app to the Locale service on wwwlocaleappcom Locale makes hand editing translation files something you don't have to do The gem hooks into the i18n exception mechanism to send missing translations to the app When translated content has been added it's automatically pulled down so you can see it straight awa

https://github.com/michenriksen/nmap-scripts

A collection of Nmap NSE scripts that I made.

Nmap NSE Scripts A collection of Nmap NSE scripts that I made Scripts: http-rails-xml-parser This script sends a specially crafted XML body in a POST request to any detected web services to see if it is a Ruby on Rails server that is vulnerable to the recently discovered CVE-2013-0156 bug Usage: $ nmap -sV --script http-rails-xml-parser &lt;target&gt;

https://github.com/beched/libpywebhack

Web hacking assistance toolkit

libpywebhack A class with a plenty of useful instruments for web application analysis See libpywebhackhtml for pydoc-generated documentation Installation Run $ python setuppy install or just put your scripts in the same directory License Creative Commons Attribution Non-Commercial Share Alike Key features Detecting a web-server, platform, links, some sensitive files (meth

https://github.com/rapid7/psych_shield

PsychShield provides a filtering mechanism for YAML.load when using the Psych parser

Psych Shield Psych Shield provides a way to filter objects during a YAMLload call when the Psych parser is used (default in Ruby 19) This can prevent malicious input to a YAMLload call from resulting in bad things within your application This is a dirty hack that allows applications that need to accept untrusted YAML input to continue doing so until they can be ported to a

https://github.com/bsodmike/rails-exploit-cve-2013-0156

Bootstrapped Rails 3.2.10 to test the remote code exploit CVE-2013-0156

Rails PoC exploits for CVE-2013-0156 and CVE-2013-0155¶ ↑ Bootstrapped a Rails 3210 application with the remote code execution exploit Ref: githubcom/ronin-ruby/ronin-rubygithubcom/blob/rails-pocs/blog/_posts/2013-01-09-rails-pocsmd Setup¶ ↑ Install gem dependencies and fire up the app on port 3002 $ bundle install $ rake db:migrate $ rails s -p

https://github.com/chargify/chargify_api_ares

A Chargify API wrapper for Ruby using ActiveResource

Notice: As of Aug 30, 2022, this wrapper is no longer updated or maintained Chargify API wrapper for Ruby (using ActiveResource) This is a community-maintained Ruby wrapper for the Chargify API that leverages ActiveResource Though we do not proactively maintain it, Chargify is happy to review pull requests and manage the release process for the gem We encourage community c

https://github.com/chase439/chargify_api_ares

Modified chargify_api_ares with ability to generate hosted page URLs

Chargify API wrapper for Ruby (using ActiveResource) Please see important compatibility information at the bottom of this file This is a Ruby wrapper for the Chargify API that leverages ActiveResource It allows you to interface with the Chargify API using simple ActiveRecord-like syntax, ie: Chargify::Subscriptioncreate( :customer_reference =&gt; 'moklett'

https://github.com/chapmajs/rails_xml_vuln_demo

Rails XML vulnerability demo for January Tech Valley Ruby Brigade

Rails XML Vulnerability Demo This project was used along with a recent install of Metasploit to demonstrate the practical application of CVE-2013-0156 against an unpatched Rails 3210 application for the January 2013 Tech Valley Ruby Brigade It is broken into three main commits, detailed below For the vulnerable application server, you require git, a recent RVM and the abili

https://github.com/whitequark/disable_eval

The only safe eval is no eval.

Disable Eval The only safe eval is no eval This gem provides the method DisableEvalprotect, which does the following: Undefines all builtin eval methods Verifies that no one has aliased those methods to other names Note that it is not practically possible to eliminate every single way of evaluating code if you can arbitrary methods on arbitrary objects with arbitrary argu

https://github.com/Jjdt12/kuang_grade_mk11

Pseudo shell for CVE-2013-0156.

kuang_grade_mk11 Pseudo shell for CVE-2013-0156

Recent Articles

Snowden picks up 'Epic 0wnage' gong in Vegas... well, not literally
The Register • John Leyden • 02 Aug 2013

And Barnaby Jack wins posthumous lifetime achievement Pwnie

Security researcher Barnaby Jack, famous for his "jackpot" hack on ATMs, which forced them to spit out cash, has won a lifetime achievement award less than a week after his death. The honour was announced yesterday at the Pwnie awards, Infosec's equivalent to the Oscars. Jack, 35, died last Thursday just days before he was due to give a talk on electronic medical implants for humans at Black Hat. The slot at the Las Vegas conference was left open, allowing friends and colleagues to gather togeth...

Read more...
Ruby on Fails: Zombie SERVER army built thanks to Rails bug
The Register • John Leyden • 30 May 2013

The undead are coming, and they have 1Gbps pipes!

A critical vulnerability in trendy web programming kit Ruby on Rails is being abused to conscript hacked website servers into a growing botnet army. A security bug (CVE-2013-0156) in the open-source application framework was patched in January, but months later many website owners have failed to apply the update, leaving code on numerous sites vulnerable. Shortcomings in Ruby on Rails' parameter-parsing code allows miscreants to bypass authentication systems, inject and execute arbitrary code, o...

Read more...
Ruby off the Rails: Enormo security hole puts 240k sites at risk
The Register • John Leyden • 10 Jan 2013

Update NOW or give everyone shell access to your app server

Popular programming framework Ruby on Rails has two critical security vulnerabilities - one allowing anyone to execute commands on the servers running affected web apps. The newly uncovered bugs both involve the parsing and handling of data supplied by visitors to a Rails application. The CVE-2013-0156 hole is the more severe of the two because it allows remote-code execution against any Ruby on Rails application that has the XML parser enabled - a feature switched on by default. According to se...

Read more...

References

CWE-20https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplainhttp://www.debian.org/security/2013/dsa-2604http://rhn.redhat.com/errata/RHSA-2013-0154.htmlhttp://www.kb.cert.org/vuls/id/628463http://rhn.redhat.com/errata/RHSA-2013-0155.htmlhttp://www.insinuator.net/2013/01/rails-yaml/https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/http://www.kb.cert.org/vuls/id/380039http://rhn.redhat.com/errata/RHSA-2013-0153.htmlhttp://lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlhttp://ics-cert.us-cert.gov/advisories/ICSA-13-036-01Ahttp://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.htmlhttps://puppet.com/security/cve/cve-2013-0156https://access.redhat.com/errata/RHSA-2013:0154https://nvd.nist.govhttps://www.exploit-db.com/exploits/27527/https://github.com/heroku/heroku-CVE-2013-0156https://www.kb.cert.org/vuls/id/380039
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4761command injectionCVE-2024-3676IDORCVE-2024-30039CVE-2024-32113CVE-2024-30049CVE-2024-4776SQL injection
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook