Script http-vuln-cve2013-0156

Script types: portrule
Categories: exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/http-vuln-cve2013-0156.nse

Script Summary

Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)

All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script sends 3 harmless YAML payloads to detect vulnerable installations. If the malformed object receives a status 500 response, the server is processing YAML objects and therefore is likely vulnerable.

References:

• https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156',
• https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ',
• http://cvedetails.com/cve/2013-0156/

Script Arguments

http-vuln-cve2013-0156.uri

Basepath URI (default: /).

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -sV --script http-vuln-cve2013-0156 <target>
nmap -sV --script http-vuln-cve2013-0156 --script-args uri="/test/" <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2013-0156:
|   VULNERABLE:
|   Parameter parsing vulnerabilities in several versions of Ruby on Rails allow object injection, remote command execution and Denial Of Service attacks (CVE-2013-0156)
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable to object injection, remote command execution and denial of service attacks.
|       The attackers don't need to be authenticated to exploit these vulnerabilities.
|
|     References:
|       https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ
|       https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156
|_      http://cvedetails.com/cve/2013-0156/

Requires

• http
• shortport
• stdnse
• vulns

---

Author:

• Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html

action

action (host, port)

MAIN

Parameters

host

 

port