October 31, 2014

Exploit for Ruby on Rails vulnerability available one day after disclosure and patch

ruby on rails(LiveHacking.Com) –  Two days ago, details of multiple vulnerabilities in the parameter parsing code for Ruby on Rails were published on the RoR security mailing list. The vulnerability allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code. It is also possible to use the vulnerabilities to perform a DoS attack on a Rails application.

The error, which is, is considered very serious.

“Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the workarounds immediately,” wrote Aaron Patterson.

On the same day another serious flaw was found. The second vulnerability is connected with how Active Record is used in conjunction with JSON parameter parsing.

“Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it,” added Patterson.

Very quickly the Ruby on Rail team issued updates 3.2.11, 3.1.10, 3.0.19, and 2.3.15 to with fixes to what it calls “two extremely critical security fixes” issues.

The seriousness of the situation was underlined by HD Moore of Metasploit fame, “this is more than likely the worst security issue that the Rails platform has seen to date.”

As of today, the Metasploit community has managed to turn the vulnerability into a working remote exploit. The Metasploit module is now available on GitHub, it handles Ruby on Rails versions 2 and 3.

Why is this serious?

Although the flaw has been fixed and new versions of the software are available, this issue remains serious due to the number of systems that remain affected. Upgrading server software isn’t necessarily quick, especially if shared hosting is used. In these cases the upgrade will need to be performed by the hosting company and this could take time.

It is recommended that all users update their software immediately to one of the versions that includes the patches. If you are using webhosting then contact your hosting company and ensure that the software is upgraded.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks