Researchers have warned of a remote execution exploit for flaws within Ruby on Rails that were the subject of two ‘extremely critical' fixes this week.
The parameter-parsing flaws are present in all versions of the open source web application framework, and could allow attackers to bypass authentication and execute arbitrary code in apps written in Ruby on Rails.
According to Ruby on Rails, there are "multiple weaknesses in the parameter parsing code for Ruby on Rails that allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application".
According to reports, there could be up to 250,000 Rails-based websites potentially at risk from attack, as a proof-of-concept attack has been developed for all versions of Rails for the last six years, but has not yet been made public. However reports have emerged that proof-of-concept exploits have now appeared online.
Rapid7 chief security officer HD Moore said that the main problem is that the XML processor in Ruby on Rails can be tricked into decoding the request as a YAML document or as a Ruby Symbol, both of which can expose the application to remote code execution or SQL injection.
According to Moore's Metasploit project, which is written in Ruby on Rails, Rapid7 has updated all of its own RoR applications with the workaround. “This is more than likely the worst security issue that the Rails platform has seen to date,” he said.
Security researcher Ben Murphy said: “An attacker can execute any Ruby code he wants including system (Unix command). This affects any Rails version for the last six years.”
"I've written POCs for Rails 3.x and Rails 2.x on Ruby 1.9.3, Ruby 1.9.2 and Ruby 1.8.7 and there is no reason to believe this wouldn't work on any Ruby/Rails combination since when the bug has been introduced. The exploit does not depend on code the user has written and will work with a new Rails application without any controllers."
According to a SANS Institute blog by Rob VandenBrink, senior consulting engineer at Metafore, because of the security profile of Ruby on Rails, any security issues should be taken seriously. “However, the hype and hoopla that any site with Ruby on Rails code on it is vulnerable is just that - the vulnerability being discussed is very specific in nature, but folks hear SQL injection and (mistakenly as far as I can see) send it to the headline page,” he said.
Sourcefire chief architect Adam J O'Donnell said a worm could emerge to target the vulnerabilities, but such a threat would be overshadowed by more stealthy attacks.
"The worst case situation is that attackers use the vulnerability to silently compromise massive numbers of vulnerable websites, grab everything from the database, and install persistent backdoors in the infrastructure of every organisation running the vulnerable code.
“They could also silently post a client-side exploit that targets people who come to that site, commonly known as a watering hole attack. A worm would likely force everyone to fix their infrastructure immediately, while silent exploitation may not be as motivating.”