Ruby on Rails Web Console IP Whitelist Bypass

June 16, 2015 - 1 minute read -

With the release of Ruby on Rails 4.2 the so called Web Console was introduced.

As the Web Console documentation states: Web Console is built explicitly for Rails 4.

By default the Web Console is available in the Rails Development Environment and allows only the IPs and ::1 to access the console in order to evaluate arbitrary Ruby statements for the purpose of debugging.

However with Rails Versions 4.1 and 4.0 the Web Console built in IP whitelist is bypassable. This is due to the fact that Web Console parses the request.remote_ip to check if the IP is whitelisted with the Ruby class IPAddr. The Rails stack prior to 4.2 when calculating request.remote_ip uses these regular expressions to strip out trusted Proxies from the HTTP Headers X-Forwarded-For and Client-IP.

Due to this parser differential an attacker might bypass the Web Console IP whitelist by supplying a HTTP header value of:

X-Forwarded-For: 0000::1

This IPv6 address in the given notation would bypass the TRUSTED_PROXIES entry ^::1$ but match the IPAddr value of ::1 within Web Console.

As the Web Console is intended for debugging in the Development Environment this will most likely not affect Production setups, unless Web Console is explicitly enabled. But gaining RCE on Developer laptops might be fun as well ;).