This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Ruby off the Rails, as major exploits appear online

Share this article:
Ruby off the Rails, as major exploits appear online
Ruby off the Rails, as major exploits appear online

Researchers have warned of a remote execution exploit for flaws within Ruby on Rails that were the subject of two ‘extremely critical' fixes this week.

The parameter-parsing flaws are present in all versions of the open source web application framework, and could allow attackers to bypass authentication and execute arbitrary code in apps written in Ruby on Rails.

According to Ruby on Rails, there are "multiple weaknesses in the parameter parsing code for Ruby on Rails that allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application".

According to reports, there could be up to 250,000 Rails-based websites potentially at risk from attack, as a proof-of-concept attack has been developed for all versions of Rails for the last six years, but has not yet been made public. However reports have emerged that proof-of-concept exploits have now appeared online.

Rapid7 chief security officer HD Moore said that the main problem is that the XML processor in Ruby on Rails can be tricked into decoding the request as a YAML document or as a Ruby Symbol, both of which can expose the application to remote code execution or SQL injection.

According to Moore's Metasploit project, which is written in Ruby on Rails, Rapid7 has updated all of its own RoR applications with the workaround. “This is more than likely the worst security issue that the Rails platform has seen to date,” he said.

Security researcher Ben Murphy said: “An attacker can execute any Ruby code he wants including system (Unix command). This affects any Rails version for the last six years.”

"I've written POCs for Rails 3.x and Rails 2.x on Ruby 1.9.3, Ruby 1.9.2 and Ruby 1.8.7 and there is no reason to believe this wouldn't work on any Ruby/Rails combination since when the bug has been introduced. The exploit does not depend on code the user has written and will work with a new Rails application without any controllers."

According to a SANS Institute blog by Rob VandenBrink, senior consulting engineer at Metafore, because of the security profile of Ruby on Rails, any security issues should be taken seriously. “However, the hype and hoopla that any site with Ruby on Rails code on it is vulnerable is just that - the vulnerability being discussed is very specific in nature, but folks hear SQL injection and (mistakenly as far as I can see) send it to the headline page,” he said.

Sourcefire chief architect Adam J O'Donnell said a worm could emerge to target the vulnerabilities, but such a threat would be overshadowed by more stealthy attacks.

"The worst case situation is that attackers use the vulnerability to silently compromise massive numbers of vulnerable websites, grab everything from the database, and install persistent backdoors in the infrastructure of every organisation running the vulnerable code.

“They could also silently post a client-side exploit that targets people who come to that site, commonly known as a watering hole attack. A worm would likely force everyone to fix their infrastructure immediately, while silent exploitation may not be as motivating.”

This story originally appeared on SCMagazine.com.au. Headline courtesy of Wim Remes.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

4% of Googlebots are fake and can launch attacks

4% of Googlebots are fake and can ...

Admins' fear of damaging their SEO gives malicious search engine bots a 'VIP pass' into sites.

Brit Lauri Love faces more US hacking charges

Brit Lauri Love faces more US hacking charges

Lauri Love, a 29-year-old British man from Stradishall in Suffolk, has been charged by a US court with hacking into multiple US government computers and stealing more than 100,000 employee ...

More questions than answers as BBC outage fuels DDoS talk

More questions than answers as BBC outage fuels ...

The British Broadcasting Corporation was hit by a prolonged outage on its website and iPlayer video-on-demand service (VOD) last weekend, raising questions about the cause and whether it was subjected ...