CVE-2013-5036
published 2014-05-27CVE-2013-5036: The Square Squash allows remote attackers to execute arbitrary code via a YAML document in the (1) namespace parameter to the deobfuscation function or (2)…
PriorityP269high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
46.18%
98.7th percentile
The Square Squash allows remote attackers to execute arbitrary code via a YAML document in the (1) namespace parameter to the deobfuscation function or (2) sourcemap parameter to the sourcemap function in app/controllers/api/v1_controller.rb.
Detection & IOCsextracted from sources · hover to see the quote
command--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'<rand>;eval(%[<base64_payload>].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}↗
- →Detect POST requests to /api/1.0/deobfuscation with a JSON body containing a 'namespace' key holding a base64+zlib-compressed YAML payload; HTTP 422 response to a probe of this endpoint indicates potential vulnerability. ↗
- →Look for YAML deserialization gadget strings in POST body parameters: '!ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection' and '!ruby/object:OpenStruct' are hallmarks of this exploit's payload. ↗
- →The exploit encodes the YAML payload as base64(zlib-deflate) and embeds it in the 'namespace' JSON field; monitor for unusually large or high-entropy base64 strings in the 'namespace' or 'sourcemap' parameters of API requests to Squash. ↗
- →The attack targets both the 'namespace' parameter (deobfuscation endpoint) and the 'sourcemap' parameter (sourcemap endpoint) in the Squash API controller; monitor POST requests to both /api/1.0/deobfuscation and the sourcemap equivalent. ↗
- ·The exploit uses a hardcoded but arbitrary api_key value of '1'; real deployments may require a valid API key, meaning unauthenticated exploitation depends on the target's API key validation being absent or bypassable. ↗
- ·The payload architecture is Ruby (ARCH_RUBY), meaning the injected code executes within the Ruby/Rails process context; detection and containment should account for Ruby eval-based execution rather than OS-level shell spawning. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Squash - YAML Code Execution (Metasploit)
exploitdb·2013-08-12
CVE-2013-5036 Squash - YAML Code Execution (Metasploit)
Squash - YAML Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Squash YAML Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the
YAML request processor of the Squash application.
},
'Author' =>
[
'Charlie Eriksen' # Discovery, initial exploit
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://ceriksen.com/2013/08/06/squash-remote-code-execution-vulnerability-advisory/'],
[ 'OSVDB', '95992'],
[ 'CVE', '2013-5036']
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY
Metasploit
Squash YAML Code Execution
metasploit
Squash YAML Code Execution
Squash YAML Code Execution
This module exploits a remote code execution vulnerability in the YAML request processor of the Squash application.
http://ceriksen.com/2013/08/06/squash-remote-code-execution-vulnerability-advisory/http://osvdb.org/95992http://www.exploit-db.com/exploits/27530https://exchange.xforce.ibmcloud.com/vulnerabilities/86335https://github.com/SquareSquash/web/commit/6d667c19e96e4f23dccbfbe24afeebd18e98e1c5http://ceriksen.com/2013/08/06/squash-remote-code-execution-vulnerability-advisory/http://osvdb.org/95992http://www.exploit-db.com/exploits/27530https://exchange.xforce.ibmcloud.com/vulnerabilities/86335https://github.com/SquareSquash/web/commit/6d667c19e96e4f23dccbfbe24afeebd18e98e1c5
2014-05-27
Published