November 28, 2014

Exploit for Ruby on Rails vulnerability available one day after disclosure and patch

ruby on rails(LiveHacking.Com) –  Two days ago, details of multiple vulnerabilities in the parameter parsing code for Ruby on Rails were published on the RoR security mailing list. The vulnerability allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code. It is also possible to use the vulnerabilities to perform a DoS attack on a Rails application.

The error, which is, is considered very serious.

“Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the workarounds immediately,” wrote Aaron Patterson.

On the same day another serious flaw was found. The second vulnerability is connected with how Active Record is used in conjunction with JSON parameter parsing.

“Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it,” added Patterson.

Very quickly the Ruby on Rail team issued updates 3.2.11, 3.1.10, 3.0.19, and 2.3.15 to with fixes to what it calls “two extremely critical security fixes” issues.

The seriousness of the situation was underlined by HD Moore of Metasploit fame, “this is more than likely the worst security issue that the Rails platform has seen to date.”

As of today, the Metasploit community has managed to turn the vulnerability into a working remote exploit. The Metasploit module is now available on GitHub, it handles Ruby on Rails versions 2 and 3.

Why is this serious?

Although the flaw has been fixed and new versions of the software are available, this issue remains serious due to the number of systems that remain affected. Upgrading server software isn’t necessarily quick, especially if shared hosting is used. In these cases the upgrade will need to be performed by the hosting company and this could take time.

It is recommended that all users update their software immediately to one of the versions that includes the patches. If you are using webhosting then contact your hosting company and ensure that the software is upgraded.

Ruby on Rails SQL Injection Vulnerability Found

(LiveHacking.Com) – A SQL injection vulnerability has been found in the Active Record component of Ruby on Rails. Active Record connects classes to a relational database tables giving applications a persistence layer.

According to the security advisory a vulnerability has been found in the way Active Record handles nested query parameters. An attacker can use a specially crafted request to inject some forms of SQL into an application’s SQL queries. For an application to be vulnerable it needs to directly pass request parameters to the `where` method of an ActiveRecord class like this: Post.where(:id => params[:id]).all

To exploit this weakness, an attacker needs to make a request that causes `params[:id]` (see above) to return a specially crafted hash. This will will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

Workaround
There is a workaround where vulnerable code needs to be changed so that the parameter is cast to the expected value. For example:

Post.where(:id => params[:id]).all

is changed to this:

Post.where(:id => params[:id].to_s).all

The Ruby on Rails team have released new versions to fix the problem. Affected versions are 3.0.0 and all later versions, however 2.3.14 is not affected. The fixed Versions are 3.2.4, 3.1.5, 3.0.13. The latest versions can be downloaded from here.

All users running an affected release should upgrade immediately.

Ruby on Rails Updated to Fix XSS Vulnerability

(LiveHacking.Com) – The open source open source web framework Ruby on Rails has been updated to fix a cross site scripting vulnerability in the translate helper method.

The vulnerability, which could allow an attacker to insert arbitrary code into a page, affects versions 3.0.0 and later as well as version 2.3.X in combination with the rails_xss plugin. It has been fixed in version 3.0.11 and version 3.1.2.

The bug in the translate helper method meant that when using interpolation in combination with HTML-safe translations, the interpolated input would not get HTML escaped

The releases notes gives the following example:

translate('foo_html', :something => '<script>') # => "...<script>..."

After:

translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."

Shortly after the release of 3.1.2, the Ruby on Rails team released 3.1.3 to fix a number of regressions that found their way into 3.1.2, including a fix to the translate helper with a html translation which uses the :count option for pluralization.