CVE-2015-3224
published 2015-07-26CVE-2015-3224: request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a…
PriorityP348medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
44.98%
98.6th percentile
request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rubyonrails | web_console | <= 2.1.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherX-Forwarded-For: ::1
- →Detect whitelist bypass attempts by inspecting inbound HTTP requests for X-Forwarded-For header values containing '0000::1' — a malformed IPv6 address that bypasses the TRUSTED_PROXIES regex (^::1$) while matching IPAddr's ::1 value in Web Console. ↗
- →Alert on HTTP PUT requests to paths matching /repl_sessions/ combined with headers 'Accept: application/vnd.web-console.v2' and 'X-Requested-With: XMLHttpRequest', which is the exploit's code-injection step. ↗
- →Detect responses containing both 'Rails.root:' and 'Action Controller: Exception caught' in the body alongside response headers 'X-Web-Console-Session-Id', 'data-remote-path=', or 'data-session-id=' — indicators that the Web Console is exposed and accessible.
- →Monitor for the HTML attributes 'data-remote-path=' and 'data-session-id=' in HTTP response bodies, which expose the Web Console session path used by attackers to inject Ruby code. ↗
- ·The whitelist bypass only works against Rails 4.0.x and 4.1.x; Rails 4.2.x restricts Web Console to localhost by default, so exploitation from a remote IP requires the attacker to already be in a whitelisted IP range. ↗
- ·Users whose application is only accessible from localhost are not affected unless a local proxy is involved — the vulnerability is primarily a risk in development/test environments exposed to remote IPs. ↗
- ·The bypass exploits a parser differential between Rails' TRUSTED_PROXIES regex (^::1$) and Ruby's IPAddr class — the malformed address '0000::1' fails the regex but is treated as equivalent to ::1 by IPAddr. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Web Console (Ruby gem) contains whitelisted_ips bypass
ghsa·2017-10-24
CVE-2015-3224 [MEDIUM] CWE-284 Web Console (Ruby gem) contains whitelisted_ips bypass
Web Console (Ruby gem) contains whitelisted_ips bypass
request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.
OSV
Web Console (Ruby gem) contains whitelisted_ips bypass
osv·2017-10-24
CVE-2015-3224 [MEDIUM] Web Console (Ruby gem) contains whitelisted_ips bypass
Web Console (Ruby gem) contains whitelisted_ips bypass
request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.
No detection rules found.
Exploit-DB
Ruby on Rails 4.0.x/4.1.x/4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit)
exploitdb·2015-06-16
CVE-2015-3224 Ruby on Rails 4.0.x/4.1.x/4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit)
Ruby on Rails 4.0.x/4.1.x/4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'Ruby on Rails Web Console (v2) Whitelist Bypass Code Execution',
'Description' => %q{
This module exploits an IP whitelist bypass vulnerability in the developer
web console included with Ruby on Rails 4.0.x and 4.1.x. This module will also
achieve code execution on Rails 4.2.x if the attack is launched from a
whitelisted IP range.
},
'Author' => [
'joernchen ', # Discovery & disclosure
'Ben Murphy ', # Discovery & disclosure
'hdm' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015
Nuclei
Ruby on Rails Web Console - Remote Code Execution
nuclei·CVSS 4.3
CVE-2015-3224 [MEDIUM] Ruby on Rails Web Console - Remote Code Execution
Ruby on Rails Web Console - Remote Code Execution
Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb.
Template:
id: CVE-2015-3224
info:
name: Ruby on Rails Web Console - Remote Code Execution
author: pdteam
severity: medium
description: Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb.
impact: |
Remot
Metasploit
Ruby on Rails Web Console (v2) Whitelist Bypass Code Execution
metasploit
Ruby on Rails Web Console (v2) Whitelist Bypass Code Execution
Ruby on Rails Web Console (v2) Whitelist Bypass Code Execution
This module exploits an IP whitelist bypass vulnerability in the developer web console included with Ruby on Rails 4.0.x and 4.1.x. This module will also achieve code execution on Rails 4.2.x if the attack is launched from a whitelisted IP range.
Bugzilla
CVE-2015-3224 rubygem-web-console: IP whitelist bypass in Web Console
bugzilla·2015-06-18·CVSS 4.3
CVE-2015-3224 [MEDIUM] CVE-2015-3224 rubygem-web-console: IP whitelist bypass in Web Console
CVE-2015-3224 rubygem-web-console: IP whitelist bypass in Web Console
There is a remote code execution vulnerability in Web Console.
This vulnerability has been assigned the CVE identifier CVE-2015-3224.
Versions Affected: All
Not affected: Environments inaccessible from remote IPs, or without Web Console enabled
Fixed Versions: 2.1.3
Impact
Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default).
Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved.
Workarounds
To work around this issue, turn off web-console in all environments, by removing/commenting it from the application'
Bugzilla
CVE-2015-3224 rubygem-web-console: IP whitelist bypass in Web Console [fedora-all]
bugzilla·2015-06-18·CVSS 4.3
CVE-2015-3224 [MEDIUM] CVE-2015-3224 rubygem-web-console: IP whitelist bypass in Web Console [fedora-all]
CVE-2015-3224 rubygem-web-console: IP whitelist bypass in Web Console [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported version
HackerOne
RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1
hackerone·2015-06-16·CVSS 4.3
[MEDIUM] RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1
RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1
With the release of Ruby on Rails 4.2 the so called [Web Console](https://github.com/rails/web-console) was introduced.
As the Web Console documentation states:
*Web Console is built explicitly for Rails 4.*
By default the Web Console is available in the Rails Development Environment and allows only the IPs `127.0.0.1` and `::1` to access the console in order to evaluate arbitrary Ruby statements for the purpose of debugging.
However with Rails Versions 4.1 and 4.0 the Web Console built in IP whitelist is bypassable.
This is due to the fact that Web Console parses the `request.remote_ip` to check if the IP is whitelisted with the Ruby class `IPAddr`. The Rails stack prior to 4.2 when calculating `request.remote_ip` uses [t
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.htmlhttp://openwall.com/lists/oss-security/2015/06/16/18http://www.securityfocus.com/bid/75237https://github.com/rails/web-console/blob/master/CHANGELOG.markdownhttps://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJhttp://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.htmlhttp://openwall.com/lists/oss-security/2015/06/16/18http://www.securityfocus.com/bid/75237https://github.com/rails/web-console/blob/master/CHANGELOG.markdownhttps://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ
2015-07-26
Published