October 24, 2014

Exploit for Ruby on Rails vulnerability available one day after disclosure and patch

ruby on rails(LiveHacking.Com) –  Two days ago, details of multiple vulnerabilities in the parameter parsing code for Ruby on Rails were published on the RoR security mailing list. The vulnerability allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code. It is also possible to use the vulnerabilities to perform a DoS attack on a Rails application.

The error, which is, is considered very serious.

“Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the workarounds immediately,” wrote Aaron Patterson.

On the same day another serious flaw was found. The second vulnerability is connected with how Active Record is used in conjunction with JSON parameter parsing.

“Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it,” added Patterson.

Very quickly the Ruby on Rail team issued updates 3.2.11, 3.1.10, 3.0.19, and 2.3.15 to with fixes to what it calls “two extremely critical security fixes” issues.

The seriousness of the situation was underlined by HD Moore of Metasploit fame, “this is more than likely the worst security issue that the Rails platform has seen to date.”

As of today, the Metasploit community has managed to turn the vulnerability into a working remote exploit. The Metasploit module is now available on GitHub, it handles Ruby on Rails versions 2 and 3.

Why is this serious?

Although the flaw has been fixed and new versions of the software are available, this issue remains serious due to the number of systems that remain affected. Upgrading server software isn’t necessarily quick, especially if shared hosting is used. In these cases the upgrade will need to be performed by the hosting company and this could take time.

It is recommended that all users update their software immediately to one of the versions that includes the patches. If you are using webhosting then contact your hosting company and ensure that the software is upgraded.

Ruby on Rails SQL Injection Vulnerability Found

(LiveHacking.Com) – A SQL injection vulnerability has been found in the Active Record component of Ruby on Rails. Active Record connects classes to a relational database tables giving applications a persistence layer.

According to the security advisory a vulnerability has been found in the way Active Record handles nested query parameters. An attacker can use a specially crafted request to inject some forms of SQL into an application’s SQL queries. For an application to be vulnerable it needs to directly pass request parameters to the `where` method of an ActiveRecord class like this: Post.where(:id => params[:id]).all

To exploit this weakness, an attacker needs to make a request that causes `params[:id]` (see above) to return a specially crafted hash. This will will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

Workaround
There is a workaround where vulnerable code needs to be changed so that the parameter is cast to the expected value. For example:

Post.where(:id => params[:id]).all

is changed to this:

Post.where(:id => params[:id].to_s).all

The Ruby on Rails team have released new versions to fix the problem. Affected versions are 3.0.0 and all later versions, however 2.3.14 is not affected. The fixed Versions are 3.2.4, 3.1.5, 3.0.13. The latest versions can be downloaded from here.

All users running an affected release should upgrade immediately.

Microsoft First to Patch Universal Hash Table Collision Vulnerability with Out-of-band Update

(LiveHacking.Com) – Security Researchers have exposed a flaw in the way the popular Web programming languages (like PHP, ASP.NET and Python) handle hash table collisions resulting in huge CPU usage and a subsequent denial of service. The discoveries were announced yesterday (Wednesday) at the Chaos Communication Congress event in Germany. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8.

Although hash collision denial-of-service attacks have been discussed since 2003, Alexander Klink and Julian Wälde have now shown that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. And so it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition.

“If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request” write the pair in their advisory.

Microsoft have been one of the first to respond to this issue with several announcements including  Security Advisory 2659883 and an advance notification for an out-of-band security update to address the issue. The release is scheduled for today, December 29, at approximately 10 a.m. PST.

According to Microsoft’s security advisory this vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. Tthe .NET Framework is vulnerable from version 1.0 right through to version 4.0.

Microsoft are rating this out-of-band bulletin as “Critical” and it is likely it will will release updates for

  • Microsoft .NET Framework 1.0 Service Pack 3 (Media Center Edition 2005 and Tablet PC Edition 2005 only)
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4

For Windows XP, Server 2003, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 across Intel 32 bit, Intel 64 bit and Itanium where applicable.

The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes.

More information regarding this vulnerability can be found in US-CERT Vulnerability NoteVU#903934 and n.runs Security Advisory n.runs-SA-2011.004.