CVE-2019-5418
Bookmarked!This exercise details the exploitation of CVE-2019-5418 to get code execution
The course begins by emphasizing the need to solve foundational exercises like ruby_ugadget
and CVE-2019-5420
to understand the full scope of the challenge. It explains how an attacker can manipulate the Accept
header to read critical files such as config/master.key
and config/credentials.yml.enc
, and then use these files to decrypt session data and ultimately gain code execution. The vulnerability arises because Rails trusts the Accept
header and concatenates it to a string used as a Glob, allowing directory traversal attacks.
The course also covers the intricacies of Rails' caching mechanisms and how they can impact an attack, noting that caching has been disabled for this exercise to simplify exploitation. It provides detailed steps on decrypting session data and forging a payload using Marshal
to achieve code execution. The course concludes by highlighting the importance of understanding session serialization and the potential risks of running applications in development mode on the internet.