高危 Rails <= 5.2.1 Accept头任意文件读取漏洞

CVE编号

CVE-2019-5418

利用情况

EXP 已公开

补丁情况

官方补丁

披露时间

2019-03-28

漏洞描述

Action View（Rails）&lt;5.2.2.1，&lt;5.1.6.2，&lt;5.0.7.2，&lt;4.2.11.1中存在文件内容泄露漏洞，其中特制的接受标头可能导致目标系统文件系统上任意文件的内容泄漏。<br>

解决建议

厂商已发布了漏洞修复程序，请及时关注更新：https://rubyonrails.org/

参考链接
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Conten...
http://www.openwall.com/lists/oss-security/2019/03/22/1
https://access.redhat.com/errata/RHSA-2019:0796
https://access.redhat.com/errata/RHSA-2019:1147
https://access.redhat.com/errata/RHSA-2019:1149
https://access.redhat.com/errata/RHSA-2019:1289
https://groups.google.com/forum/
https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
https://www.exploit-db.com/exploits/46585/

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	redhat	cloudforms	4.6	-
	运行在以下环境
	应用	redhat	cloudforms	4.7	-
	运行在以下环境
	应用	redhat	software_collections	1.0	-
	运行在以下环境
	应用	rubyonrails	rails	*	From (including) 3.0.0	Up to (excluding) 4.2.11.1
	运行在以下环境
	应用	rubyonrails	rails	*	From (including) 5.0.0	Up to (excluding) 5.0.7.2
	运行在以下环境
	应用	rubyonrails	rails	*	From (including) 5.1.0	Up to (excluding) 5.1.6.2
	运行在以下环境
	应用	rubyonrails	rails	*	From (including) 5.2.0	Up to (excluding) 5.2.2.1
	运行在以下环境
	系统	debian_10	rails	*		Up to (excluding) 2:5.2.2.1+dfsg-1
	运行在以下环境
	系统	debian_11	rails	*		Up to (excluding) 2:5.2.2.1+dfsg-1
	运行在以下环境
	系统	debian_12	rails	*		Up to (excluding) 2:5.2.2.1+dfsg-1
	运行在以下环境
	系统	debian_sid	rails	*		Up to (excluding) 2:5.2.2.1+dfsg-1
	运行在以下环境
	系统	fedora_30	rubygem-actioncable-doc	*		Up to (excluding) 5.2.3-1.fc30
	运行在以下环境
	系统	opensuse_Leap_15.0	ruby2.5-rubygem-actionpack-5_1	*		Up to (excluding) 5.1.4-lp150.2.3.1
	运行在以下环境
	系统	opensuse_Leap_15.1	rmt-server	*		Up to (excluding) 2.6.5-lp151.2.18.2
	运行在以下环境
	系统	opensuse_Leap_15.2	rmt-server	*		Up to (excluding) 2.6.5-lp152.2.3.1

阿里云评分 7.0

• 攻击路径 远程
• 攻击复杂度 容易
• 权限要求 无需权限
• 影响范围 越权影响
• EXP成熟度 EXP 已公开
• 补丁情况 官方补丁
• 数据保密性 数据泄露
• 数据完整性 传输被破坏
• 服务器危害 无影响
• 全网数量 N/A

CWE-ID	漏洞类型
NVD-CWE-noinfo

Exp相关链接

• https://github.com/Bad3r/RailroadBandit
• https://github.com/brompwnie/CVE-2019-5418-Scanner
• https://github.com/mpgn/CVE-2019-5418
• https://github.com/mpgn/Rails-doubletap-RCE
• https://github.com/omarkurt/CVE-2019-5418
• https://github.com/random-robbie/CVE-2019-5418
• https://github.com/takeokunn/CVE-2019-5418
• https://github.com/vulhub/vulhub/tree/master/rails/CVE-2019-5418
• https://github.com/ztgrace/CVE-2019-5418-Rails3
• https://pentesterlab.com/exercises/cve-2019-5418/course
• https://raw.githubusercontent.com/1N3/Sn1per/master/templates/active/CVE-2019-5418_-_Rail_File_Content_Disclosure.sh
• https://raw.githubusercontent.com/jaeles-project/jaeles-signatures/master/cves/rails-cve-2019-5418.yaml
• https://raw.githubusercontent.com/jaeles-project/jaeles-signatures/master/cves/rails-info-leak-cve-2019-5418.yaml
• https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/CVE-2019-5418.yaml
• https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/gather/rails_doubletap_file_read.rb
• https://www.exploit-db.com/exploits/46585

- avd.aliyun.com