Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ruby Remote Debug Can Cause Arbitrary Remote Code Execution #220

Open
GeekOnlineCode opened this issue Aug 26, 2021 · 0 comments
Open

Ruby Remote Debug Can Cause Arbitrary Remote Code Execution #220

GeekOnlineCode opened this issue Aug 26, 2021 · 0 comments

Comments

@GeekOnlineCode
Copy link

GeekOnlineCode commented Aug 26, 2021

When you use ruby-debug-ide for remote debugging,it will potentially cause arbitrary remote code execution.
rdebug-ide --host 0.0.0.0 --port 6666 --dispatcher-port 6666 -- test.rb s
telnet remote_host remote_port
Because there is no permission verification, as long as the port is opened, everyone can access remotely.Other language debugger there was a similar situation,like Node.js Debug RCE(https://www.cvedetails.com/cve/CVE-2018-12120/) 、Java Debug RCE(https://www.rapid7.com/db/modules/exploit/multi/misc/java_jdwp_debugger/).

Remote code execution can be exploited through the following steps.

1.Although the help document without any command execution instructions(https://github.com/ruby-debug/ruby-debug-ide/blob/master/protocol-spec.md). Looks can't remote command execution.
image
2.But I found in the directory(ruby-debug-ide/lib/ruby-debug-ide/commands/) that command eval can execute arbitrary commands.
image

image
3.So when anybody connected the remote service who can execute arbitrary code execution.
image

Advice

1.Modify the readme.md content,using a specific IP --host specific_ip
image
2.Delete the "eval" command
3.Using the authentication like SSH.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant