CVE-2019-5418

This exercise details the exploitation of CVE-2019-5418 to get code execution

PRO
Tier
Hard
1-2 Hrs.
450
Green Badge

The course begins by emphasizing the need to solve foundational exercises like ruby_ugadget and CVE-2019-5420 to understand the full scope of the challenge. It explains how an attacker can manipulate the Accept header to read critical files such as config/master.key and config/credentials.yml.enc, and then use these files to decrypt session data and ultimately gain code execution. The vulnerability arises because Rails trusts the Accept header and concatenates it to a string used as a Glob, allowing directory traversal attacks.

The course also covers the intricacies of Rails' caching mechanisms and how they can impact an attack, noting that caching has been disabled for this exercise to simplify exploitation. It provides detailed steps on decrypting session data and forging a payload using Marshal to achieve code execution. The course concludes by highlighting the importance of understanding session serialization and the potential risks of running applications in development mode on the internet.

Want to learn more? Get started with PentesterLab Pro! GOPRO