This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Ruby off the Rails, as major exploits appear online

Share this article:
Ruby off the Rails, as major exploits appear online
Ruby off the Rails, as major exploits appear online

Researchers have warned of a remote execution exploit for flaws within Ruby on Rails that were the subject of two ‘extremely critical' fixes this week.

The parameter-parsing flaws are present in all versions of the open source web application framework, and could allow attackers to bypass authentication and execute arbitrary code in apps written in Ruby on Rails.

According to Ruby on Rails, there are "multiple weaknesses in the parameter parsing code for Ruby on Rails that allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application".

According to reports, there could be up to 250,000 Rails-based websites potentially at risk from attack, as a proof-of-concept attack has been developed for all versions of Rails for the last six years, but has not yet been made public. However reports have emerged that proof-of-concept exploits have now appeared online.

Rapid7 chief security officer HD Moore said that the main problem is that the XML processor in Ruby on Rails can be tricked into decoding the request as a YAML document or as a Ruby Symbol, both of which can expose the application to remote code execution or SQL injection.

According to Moore's Metasploit project, which is written in Ruby on Rails, Rapid7 has updated all of its own RoR applications with the workaround. “This is more than likely the worst security issue that the Rails platform has seen to date,” he said.

Security researcher Ben Murphy said: “An attacker can execute any Ruby code he wants including system (Unix command). This affects any Rails version for the last six years.”

"I've written POCs for Rails 3.x and Rails 2.x on Ruby 1.9.3, Ruby 1.9.2 and Ruby 1.8.7 and there is no reason to believe this wouldn't work on any Ruby/Rails combination since when the bug has been introduced. The exploit does not depend on code the user has written and will work with a new Rails application without any controllers."

According to a SANS Institute blog by Rob VandenBrink, senior consulting engineer at Metafore, because of the security profile of Ruby on Rails, any security issues should be taken seriously. “However, the hype and hoopla that any site with Ruby on Rails code on it is vulnerable is just that - the vulnerability being discussed is very specific in nature, but folks hear SQL injection and (mistakenly as far as I can see) send it to the headline page,” he said.

Sourcefire chief architect Adam J O'Donnell said a worm could emerge to target the vulnerabilities, but such a threat would be overshadowed by more stealthy attacks.

"The worst case situation is that attackers use the vulnerability to silently compromise massive numbers of vulnerable websites, grab everything from the database, and install persistent backdoors in the infrastructure of every organisation running the vulnerable code.

“They could also silently post a client-side exploit that targets people who come to that site, commonly known as a watering hole attack. A worm would likely force everyone to fix their infrastructure immediately, while silent exploitation may not be as motivating.”

This story originally appeared on SCMagazine.com.au. Headline courtesy of Wim Remes.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

NATO members to get cyber war protection

NATO members to get cyber war protection

Nato cyber defence policy to declare that a cyber attack on any one member country is an attack on them all.

Turn off WPS on routers for WiFi security

Turn off WPS on routers for WiFi security ...

A Swiss researcher is advocating turning off WPS to secure routers after finding a flaw that eliminates the randomness of codes generated by some routers when WPS is switched on...