Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-5420 PoC — Ruby on Rails 安全特征问题漏洞

Source
https://github.com/WildWestCyberSecurity/cve-2019-5420-POC
Associated Vulnerability
Title:Ruby on Rails 安全特征问题漏洞 (CVE-2019-5420)
Description:A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.
Description
cve-2019-5420 POC simple ruby script
Readme
# Rails ActiveSupport Exploit (cve-2019-5420) POC


## POC Screenshot

![Screenshot](cve-2019-5420-POC_SCREENSHOT.png)


## 🚨 Warning

This repository contains a **proof-of-concept (PoC) exploit** demonstrating **remote code execution (RCE)** in Ruby on Rails applications via `ActiveSupport::MessageVerifier` abuse. **Use responsibly!**

## 📌 Overview

This script exploits **ActiveSupport deserialization vulnerabilities** by leveraging a **crafted ERB object** wrapped in `DeprecatedInstanceVariableProxy`. When the signed payload is deserialized by a vulnerable Rails application, **arbitrary Ruby code execution** occurs.

## ⚠️ Disclaimer

This project is for **educational and research purposes only**. Unauthorized use against systems you do not own **is illegal** and may result in severe legal consequences.

## 🛠️ How It Works

### 1️⃣ Generate a Secret Key

- The script derives a `` from a known Rails application name using MD5 hashing.

### 2️⃣ Create an ActiveStorage Secret

- Uses `ActiveSupport::KeyGenerator` to generate a signing key.

### 3️⃣ Create a Malicious ERB Object

- Constructs an **uninitialized **``** object** with attacker-controlled code.

### 4️⃣ Wrap in `DeprecatedInstanceVariableProxy`

- Hides the malicious object within an **innocuous-looking wrapper**.

### 5️⃣ Sign and Generate an Exploit Token

- Uses `ActiveSupport::MessageVerifier` to **sign** the payload, making it appear legitimate.

### 6️⃣ Achieve Remote Code Execution (RCE)

- When deserialized, Rails **executes** the attacker's payload, allowing arbitrary command execution.

## 🚀 Usage

```bash
ruby POC.rb
```

The script will generate a **signed exploit token**, which can be used against a vulnerable Rails application.

## 🛡️ Mitigations

- **Rotate and secure **`` to prevent attackers from generating signed payloads.
- **Upgrade Rails** to the latest version (Rails 7+ has stricter serialization mechanisms).
- **Use JSON serialization** instead of Marshal serialization to avoid arbitrary object loading.
- **Audit application deserialization** to ensure untrusted user input is not being deserialized.

## 📜 Legal Disclaimer

This project is intended for educational purposes **only**. The author is **not responsible** for any misuse or damages caused by this code.

## 📚 References

- [Rails Security Guide](https://guides.rubyonrails.org/security.html)
- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)

---

⚠️ **Use at your own risk!**
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →