SlideShare a Scribd company logo

HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective

Hackito Ergo Sum
Hackito Ergo Sum
Technology
1 of 58
Download to read offline
Ruby on Rails from a code auditor's perspective 0x0b4dc0de the RoR way 9th April 2011 Hackito Ergo Sum
Meta / Disclaimer ● It's an attempt to share my experience in reading Ruby on Rails code with the aim to find nice¹ bugs ● You can expect some code and practical examples from ● Redmine – Open Source project management software ● CCCMS – http://ccc.de ● I'm not a coder ● Rather, I enjoy reading other people's code – So don't expect a RoR development tutorial ¹) as in: security
Intro
RoR – WTF? ● Ruby on Rails ● Blah² from the website: – “Ruby on Rails © is an open-source web framework that's optimized for programmer happiness and sustainable productivity. It lets you write beautiful code by favoring convention over configuration.” ● Current version: 3.0.5 ● Model-View-Controller based webapp framework written in Ruby
MVC ● Model-View-Controller: a software architecture pattern isolating different domains of the software into three parts ● Model: handling data of the application as well as state changes ● View: user interface elements ● Controller: I/O, application logic calling methods of the model and view
RoR – Controller ● Located in $railsapp/app/controllers class PostsController < ActionController::Base […] 1 def show  2  @post = Post.find(params[:id])  3  respond_to do |format|  4    format.html # show.html.erb  5    format.xml { render :xml => @post }  6  end  7 end  […]
RoR – Model ● Located in $railsapp/app/models 1 class User < ActiveRecord::Base 2   has_many :posts 3   verifies_presence_of :name 4   verifies_uniqueness_of :name 5 end
RoR – View ● Located in $railsapp/app/views ● Typically written in ERB ● Mixture of HTML and Ruby 01 <% if @posts.blank? %> 02   <p>There are no posts yet.</p> 03 <% else %> 04   <ul id="posts"> 05   <% @posts.each do |c| %> 06     <li><%= link_to c.title, {:action => 'show', :id => c.id} =%></li> 07   <% end %> 08   </ul> 09 <% end %> 10 <p><%= link_to "Add new Post", {:action => 'new' }%></p>
Looks shiny, huh?
Reading the code and (ab)using the webapp
RoR – Reading the Code ● Ruby tends to be easy to read, so does RoR ● There are at least three layers (MVC) ● All layers have to be covered when reading the source code (for finding bugs) ● Additionally, there's libs, helpers, etc. ● There might be checks somewhere you don't expect ● There might be bugs somewhere you don't expect
RoR – Database ● Database is configured in ● $railsapp/config/database.yml ● Migrations are used to describe the database tables (in Ruby) ● These are then deployed on the database using rake
RoR – Migrations ● Example taken from Redmine ● db/migrate/001_setup.rb create_table "users", :force => true do |t|   t.column "login", :string, :limit => 30, :default => "", :null => false   t.column "hashed_password", :string, :limit => 40, :default => "", :null => false   t.column "firstname", :string, :limit => 30, :default => "", :null => false   t.column "lastname", :string, :limit => 30, :default => "", :null => false   t.column "mail", :string, :limit => 60, :default => "", :null => false   t.column "mail_notification", :boolean, :default => true, :null => false   t.column "admin", :boolean, :default => false, :null => false […]  
RoR - Filters ● Filter example taken from Redmine ● app/controllers/issues_controller.rb 1 class UsersController < ApplicationController 2   layout 'admin' 3 4   before_filter :require_admin, :except => :show
RoR – Filters ● So mainly, there are ● before_filter ● after_filter ● skip_before_filter ● skip_after_filter ● around_filter
RoR – User Input ● Look for params[:something] in the controller ● Take a look at the model/migration/DB to know which fields you might potentially influence ● Post it like: something=foo ● params[:something][:bar] is posted like something[bar]=foo
RoR – User Input ● RoR also takes automagically user input as ● XML – Post with Content-Type text/xml: <user>   <firstname>chunky</firstname> </user> ● JSON – Post with Content-Type application/json: {     User:{         lastname:'bacon'     } }
Good old friends
The Usual Web Application Suspects ● SQL Injection ● XSS ● CSRF
SQL Injection the RoR way ● Rarely found ● Per se, RoR hides away plain SQL – User.where(:first_name => “Chunky”, :last_name =>  “Bacon”) ● Look for the typical concatenation patterns 1 def sqlinjectme 2  User.find(:all, :conditions => "id = #{params[:id]}") 3 end ● Unfortunately stacked queries do not work
XSS the RoR way ● In order to find XSS bugs ● Look at the views – <%= @post.title %> vs. – <%= h @post.title %> ● Look at formatters ● Just try to find XSS scripted/manually
Redmine persistent XSS ● Somewhat hard to spot ● Found it by chance ;) ● Problem in the syntax highlighter: ● lib/redcloth3.rb
Redmine persistent XSS 1 htmlesc( aftertag, :NoQuotes ) if aftertag &&    escape_aftertag && !   first.match(/<codes+class="(w+)">/) 2 line = "<redpre##{ @pre_list.length }>" 3 first.match(/<#{ OFFTAGS }([^>]*)>/) 4 tag = $1 5 $2.to_s.match(/(class=S+)/i) 6 tag << " #{$1}" if $1 7 @pre_list << "<#{ tag }>#{ aftertag }"
CSRF ● There is some RoR magic to protect_from_forgery: 1 class FooController < ApplicationController 2   protect_from_forgery :except => :index   
To be a bit more specific
Bugs the RoR way ● Rails has a lot of fancy automagic ● … which might eventually blow up in your face ● “Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris.” – Larry Wall
Automagic – Mass Assignments ● When there is an assignment like ● user[name] = “Chunky Bacon” ● This is typically saved with ● 1 user = @params[:user] ● 2 user.save
Automagic – Mass Assignments ● When there is an assignment like ● user[name] = “Chunky Bacon” ● This is typically saved with ● 1 user = @params[:user] ● 2 user.save ● So what if you posted ● user[name]= “Chunky Bacon” ● user[admin]= true
Mass Assignment – CCC Website ● CCCMS – “feature” allowing regular users promoting themselves to admin 1 def update 2   3  if @user.update_attributes(params[:user]) […] 
Mass Assignment – CCC Website ● CCCMS – patch preventing regular users promoting themselves to admin 1 def update 2  params[:user].delete(:admin) unless current_user.is_admin? 3  if @user.update_attributes(params[:user]) […] 
Preventing Mass Assignments ● To be fixed in the model ● Example taken from Redmine: 1 class User < Principal […] 2   attr_protected :login, :admin, […] 
Laziness – Infoleaks ● All those fanciness of RoR doesn't help against lazy developers ● If you're having a second controller accessing a model, you have to implement proper filters as well
Redmine – Journals Infoleak ● Leaks info about issue descriptions, even if they are not visible to the current user ● app/controllers/journals_controller.rb 1 class JournalsController < ApplicationController 2   before_filter :find_journal, :only => [:edit] 3   before_filter :find_issue, :only => [:new] 4   before_filter :find_optional_project, :only => [:index] 5 […]
Redmine – Journals Infoleak ● Leaks info about issue descriptions, even if they are not visible to the current user ● app/controllers/journals_controller.rb 1 class JournalsController < ApplicationController 2   before_filter :find_journal, :only => [:edit] 3   before_filter :find_issue, :only => [:new] 4   before_filter :find_optional_project, :only => [:index] 5   before_filter :authorize, :only => [:new, :edit] […]
Digging a bit deeper
Digging a bit deeper ● There is more than just the MVC code ● $railsapp/lib/ ● $railsapp/vendor/plugins ● $railsapp/app/helpers ● There is RoR code itself
Redmine – SCM Adapters ● app/controllers/repositories_controller.rb 1 before_filter :find_repository, :except => :edit […]   2 def diff 3   if params[:format] == 'diff' 4   @diff = @repository.diff(@path, @rev, @rev_to) […] 5 def find_repository […] 6   @rev = params[:rev].blank? ? @repository.default_branch :       params[:rev].strip
Redmine – SCM Adapters ● lib/redmine/scm/adapters/bazaar_adapter.rb 1  def diff(path, identifier_from, identifier_to=nil) 2    path ||= '' 3    if identifier_to 4      identifier_to = identifier_to.to_i 5    else 6      identifier_to = identifier_from.to_i ­ 1 7    end 8    cmd = "#{BZR_BIN} diff                                 ­r#{identifier_to}..#{identifier_from}          #{target(path)}"
Redmine – Command Execution ● http://redminehost/projects/ $project/repository/diff/?rev=`cmd`
XXX¹ ● Open Source Rails app ● Developed by xxx.com ● Was suspicious to me due to heavily using send statements on user input ● send(symbol, [args...]) ● Invokes the method identified by symbol, passing it any arguments specified. ● Allows private methods to be called ¹) sorry had to censor this
send, my new best friend ● In XXX's controllers I didn't find anything directly exploitable :-( ● But then a search helper lib got my attention: ● some/lib/path/search.rb: 01 values.each do |condition, value| 02   mass_conditions[condition.to_sym] = value 03   value.delete_if { |v| ignore_value?(v) } if value.is_a?(Array) 04   next if ignore_value?(value) 05   @current_scope = @current_scope.send(condition, value)
send, my new best friend ● How about: GET /triggerpath?search[instance_eval]= %60touch%20%2ftmp%2fcommand_exec%60  HTTP/1.1 ● Or just msfupdate in a couple of days ;-)
Rails itself ● Of course, there is the RoR code itself ● Didn't look into it deeply enough (yet)
Security Mechanisms – CSRF Tokens ● Short recap: ● protect_from_forgery ● But wait a minute ● Thumbs up to Felix Gröbert (Google Sec. Team) – CVE-2011-0447 – Fixed in Rails 3.0.4
Security Mechanisms – CSRF Tokens ● actionpack/lib/action_controller/metal/request_forgery_protectio n.rb 1  def verified_request? 2    !protect_against_forgery? ||request.forgery_whitelisted? || 3    form_authenticity_token == params[request_forgery_protection_token] 4  end ● actionpack/lib/action_dispatch/http/request.rb 5  def forgery_whitelisted? 6    get? || xhr? || content_mime_type.nil? ||      !content_mime_type.verify_request? 7  end
Security Mechanisms – CSRF Tokens ● actionpack/lib/action_dispatch/http/mime_type.rb 1  def verify_request? 2    @@browser_generated_types.include?(to_sym) 3  end ● With 4 @@browser_generated_types = Set.new [:html,    :url_encoded_form,:multipart_form, :text]
RoR Generic CSRF Protection Bypass
RoR Generic CSRF Protection Bypass ● Post to yoursite.com with flash¹ ● Let yoursite.com redirect via 307 to target.com ● Supply application/json with proper json params ● authenticity_token should also be present (arbitrary string) ● Resend popup in Firefox ¹) Cross-domain POST header manipulation details: http://bit.ly/hc65g3
Session Cookies ● Session cookie holds all session information ● Accessed like: session[:user_id] ● _twitter_sess=$base64blob­­$sha1hmac
Session Cookies ● Can be loaded after base64 decoding with ● Marshal.load token ● => {:logged_in_after_phx_default=>false,  :created_at=>1293669570258, :in_new_user_flow=>nil,  :show_help_link=>nil, :user=>19395266,  :password_token=>"censored",  "show_discoverability_for_joernchen"=>nil,  "flash"=>{}, :id=>"censored", :csrf_id=>"censored"}
Some Thoughts on Session Cookies ● Looked at the RoR handling of Session Cookies → looked fine to me ● Maybe you find something I missed ● But keep in mind: ● What has been HMACed can't be un-HMACed
What has been HMACed ● A fictional example of some RoR controller: 01 def grant_token # called only once for a user 02   session[:token] = true 03 end 04 def invalidate # called in do_the_magic 05   session[:token] = false 06 end 07 def check # check if user has used token 08   if session[:token] == true 09     do_the_magic 10   else 11     do_not_do the magic 12   end 13 end
What has been HMACed ● The before made example is vulnerable to simple replay attacks ● Once you have a HMACed session cookie with special capabilities in a naïve implementation noone stops you from reusing that cookie. ● Simple experiment: ● Go to twitter.com and login (without “Remember Me”). ● Save your _twitter_sess cookie ● Logout ● Restore the _twitter_sess cookie ● Be logged in again :-)
Outro
Kudos to Jean-Philippe Lang ● Initial notification of ● Infoleak issue ● Persistent XSS ● Multiple CMD-Exec bugs ● ~ 2:00 PM ● Respone “I'll fix it and let you know” ● ~ 6:00 PM ● Response “It's fixed and there will be a new release tomorrow” ● ~ 8:00 PM ● 2h for a complete fix. ● So in case you use Redmine ● Update at least to version 1.0.5 =)
Thanks for Listening Any Questions?
Cheers ● astera <3 ● all @ ● xilef ● ● opti ● Recurity Labs ● Zynamics (RIP ;-)) ● til ● Das Labor ● tina ● Timecoderz ● Dangerous Drums ● HES-Orga

Recommended

Javascript Basics
Javascript BasicsJavascript Basics
Javascript Basics
Vishal Mittal
 
Send, pass, get variables with php, form, html & java script code
Send, pass, get variables with php, form, html & java script codeSend, pass, get variables with php, form, html & java script code
Send, pass, get variables with php, form, html & java script code
Noushadur Shoukhin
 
LESS CSS Pre-processor
LESS CSS Pre-processorLESS CSS Pre-processor
LESS CSS Pre-processor
Kannika Kong
 
Building Complex GUI Apps The Right Way. With Ample SDK - SWDC2010
Building Complex GUI Apps The Right Way. With Ample SDK - SWDC2010Building Complex GUI Apps The Right Way. With Ample SDK - SWDC2010
Building Complex GUI Apps The Right Way. With Ample SDK - SWDC2010
Sergey Ilinsky
 
More about PHP
More about PHPMore about PHP
More about PHP
Jonathan Francis Roscoe
 
Even Faster Web Sites at The Ajax Experience
Even Faster Web Sites at The Ajax ExperienceEven Faster Web Sites at The Ajax Experience
Even Faster Web Sites at The Ajax Experience
Steve Souders
 
Introduction to Javascript
Introduction to JavascriptIntroduction to Javascript
Introduction to Javascript
Amit Tyagi
 
Introduction to JavaScript Basics.
Introduction to JavaScript Basics.Introduction to JavaScript Basics.
Introduction to JavaScript Basics.
Hassan Ahmed Baig - Web Developer
 

Recommended

Javascript Basics
Javascript BasicsJavascript Basics
Javascript Basics
Vishal Mittal
 
Send, pass, get variables with php, form, html & java script code
Send, pass, get variables with php, form, html & java script codeSend, pass, get variables with php, form, html & java script code
Send, pass, get variables with php, form, html & java script code
Noushadur Shoukhin
 
LESS CSS Pre-processor
LESS CSS Pre-processorLESS CSS Pre-processor
LESS CSS Pre-processor
Kannika Kong
 
Building Complex GUI Apps The Right Way. With Ample SDK - SWDC2010
Building Complex GUI Apps The Right Way. With Ample SDK - SWDC2010Building Complex GUI Apps The Right Way. With Ample SDK - SWDC2010
Building Complex GUI Apps The Right Way. With Ample SDK - SWDC2010
Sergey Ilinsky
 
More about PHP
More about PHPMore about PHP
More about PHP
Jonathan Francis Roscoe
 
Even Faster Web Sites at The Ajax Experience
Even Faster Web Sites at The Ajax ExperienceEven Faster Web Sites at The Ajax Experience
Even Faster Web Sites at The Ajax Experience
Steve Souders
 
Introduction to Javascript
Introduction to JavascriptIntroduction to Javascript
Introduction to Javascript
Amit Tyagi
 
Introduction to JavaScript Basics.
Introduction to JavaScript Basics.Introduction to JavaScript Basics.
Introduction to JavaScript Basics.
Hassan Ahmed Baig - Web Developer
 
Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009
Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009
Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009
Yasuko Ohba
 
Ruby on Rails: Coding Guideline
Ruby on Rails: Coding GuidelineRuby on Rails: Coding Guideline
Ruby on Rails: Coding Guideline
Nascenia IT
 
Rails 3 hints
Rails 3 hintsRails 3 hints
Rails 3 hints
Tiago Cardoso
 
Código Saudável => Programador Feliz - Rs on Rails 2010
Código Saudável => Programador Feliz - Rs on Rails 2010Código Saudável => Programador Feliz - Rs on Rails 2010
Código Saudável => Programador Feliz - Rs on Rails 2010
Plataformatec
 
RoR 101: Session 2
RoR 101: Session 2RoR 101: Session 2
RoR 101: Session 2
Rory Gianni
 
Ruby meetup ROM
Ruby meetup ROMRuby meetup ROM
Ruby meetup ROM
Nikita Shilnikov
 
Rails Tips and Best Practices
Rails Tips and Best PracticesRails Tips and Best Practices
Rails Tips and Best Practices
David Keener
 
Jasig Rubyon Rails
Jasig Rubyon RailsJasig Rubyon Rails
Jasig Rubyon Rails
Paul Pajo
 
Learning to code for startup mvp session 3
Learning to code for startup mvp session 3Learning to code for startup mvp session 3
Learning to code for startup mvp session 3
Henry S
 
2011-02-03 LA RubyConf Rails3 TDD Workshop
2011-02-03 LA RubyConf Rails3 TDD Workshop2011-02-03 LA RubyConf Rails3 TDD Workshop
2011-02-03 LA RubyConf Rails3 TDD Workshop
Wolfram Arnold
 
Ruby On Rails Introduction
Ruby On Rails IntroductionRuby On Rails Introduction
Ruby On Rails Introduction
Thomas Fuchs
 
Supa fast Ruby + Rails
Supa fast Ruby + RailsSupa fast Ruby + Rails
Supa fast Ruby + Rails
Jean-Baptiste Feldis
 
Software Development with PHP & Laravel
Software Development with PHP & LaravelSoftware Development with PHP & Laravel
Software Development with PHP & Laravel
Juan Victor Minaya León
 
Intro to web scraping with Python
Intro to web scraping with PythonIntro to web scraping with Python
Intro to web scraping with Python
Maris Lemba
 
Damage Control
Damage ControlDamage Control
Damage Control
sintaxi
 
Intro to Rails 4
Intro to Rails 4Intro to Rails 4
Intro to Rails 4
Kartik Sahoo
 
Helpful logging with python
Helpful logging with pythonHelpful logging with python
Helpful logging with python
roskakori
 
Ramaze - The Underrated Ruby Web Framework
Ramaze - The Underrated Ruby Web FrameworkRamaze - The Underrated Ruby Web Framework
Ramaze - The Underrated Ruby Web Framework
luccastera
 
Ruby on Rails introduction
Ruby on Rails introduction Ruby on Rails introduction
Ruby on Rails introduction
Tran Hung
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability Systems
Marcelo Pinheiro
 
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
Hackito Ergo Sum
 
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
Hackito Ergo Sum
 

More Related Content

Similar to HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective

Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009
Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009
Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009
Yasuko Ohba
 
Learning to code for startup mvp session 3
Learning to code for startup mvp session 3Learning to code for startup mvp session 3
Learning to code for startup mvp session 3
Henry S
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability Systems
Marcelo Pinheiro
 

Similar to HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective (20)

Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009
Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009
Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009
 
Ruby on Rails: Coding Guideline
Ruby on Rails: Coding GuidelineRuby on Rails: Coding Guideline
Ruby on Rails: Coding Guideline
 
Rails 3 hints
Rails 3 hintsRails 3 hints
Rails 3 hints
 
Código Saudável => Programador Feliz - Rs on Rails 2010
Código Saudável => Programador Feliz - Rs on Rails 2010Código Saudável => Programador Feliz - Rs on Rails 2010
Código Saudável => Programador Feliz - Rs on Rails 2010
 
RoR 101: Session 2
RoR 101: Session 2RoR 101: Session 2
RoR 101: Session 2
 
Ruby meetup ROM
Ruby meetup ROMRuby meetup ROM
Ruby meetup ROM
 
Rails Tips and Best Practices
Rails Tips and Best PracticesRails Tips and Best Practices
Rails Tips and Best Practices
 
Jasig Rubyon Rails
Jasig Rubyon RailsJasig Rubyon Rails
Jasig Rubyon Rails
 
Learning to code for startup mvp session 3
Learning to code for startup mvp session 3Learning to code for startup mvp session 3
Learning to code for startup mvp session 3
 
2011-02-03 LA RubyConf Rails3 TDD Workshop
2011-02-03 LA RubyConf Rails3 TDD Workshop2011-02-03 LA RubyConf Rails3 TDD Workshop
2011-02-03 LA RubyConf Rails3 TDD Workshop
 
Ruby On Rails Introduction
Ruby On Rails IntroductionRuby On Rails Introduction
Ruby On Rails Introduction
 
Supa fast Ruby + Rails
Supa fast Ruby + RailsSupa fast Ruby + Rails
Supa fast Ruby + Rails
 
Software Development with PHP & Laravel
Software Development with PHP & LaravelSoftware Development with PHP & Laravel
Software Development with PHP & Laravel
 
Intro to web scraping with Python
Intro to web scraping with PythonIntro to web scraping with Python
Intro to web scraping with Python
 
Damage Control
Damage ControlDamage Control
Damage Control
 
Intro to Rails 4
Intro to Rails 4Intro to Rails 4
Intro to Rails 4
 
Helpful logging with python
Helpful logging with pythonHelpful logging with python
Helpful logging with python
 
Ramaze - The Underrated Ruby Web Framework
Ramaze - The Underrated Ruby Web FrameworkRamaze - The Underrated Ruby Web Framework
Ramaze - The Underrated Ruby Web Framework
 
Ruby on Rails introduction
Ruby on Rails introduction Ruby on Rails introduction
Ruby on Rails introduction
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability Systems
 

More from Hackito Ergo Sum

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
Hackito Ergo Sum
 
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
Hackito Ergo Sum
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
Hackito Ergo Sum
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you can
Hackito Ergo Sum
 
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
Hackito Ergo Sum
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
Hackito Ergo Sum
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
Hackito Ergo Sum
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
Hackito Ergo Sum
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
Hackito Ergo Sum
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
Hackito Ergo Sum
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
Hackito Ergo Sum
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
Hackito Ergo Sum
 

More from Hackito Ergo Sum (13)

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
 
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you can
 
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
 
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
 

Recently uploaded

Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 

Recently uploaded (20)

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 

HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective

  • 1. Ruby on Rails from a code auditor's perspective 0x0b4dc0de the RoR way 9th April 2011 Hackito Ergo Sum
  • 2. Meta / Disclaimer ● It's an attempt to share my experience in reading Ruby on Rails code with the aim to find nice¹ bugs ● You can expect some code and practical examples from ● Redmine – Open Source project management software ● CCCMS – http://ccc.de ● I'm not a coder ● Rather, I enjoy reading other people's code – So don't expect a RoR development tutorial ¹) as in: security
  • 4. RoR – WTF? ● Ruby on Rails ● Blah² from the website: – “Ruby on Rails © is an open-source web framework that's optimized for programmer happiness and sustainable productivity. It lets you write beautiful code by favoring convention over configuration.” ● Current version: 3.0.5 ● Model-View-Controller based webapp framework written in Ruby
  • 5. MVC ● Model-View-Controller: a software architecture pattern isolating different domains of the software into three parts ● Model: handling data of the application as well as state changes ● View: user interface elements ● Controller: I/O, application logic calling methods of the model and view
  • 6. RoR – Controller ● Located in $railsapp/app/controllers class PostsController < ActionController::Base […] 1 def show  2  @post = Post.find(params[:id])  3  respond_to do |format|  4    format.html # show.html.erb  5    format.xml { render :xml => @post }  6  end  7 end  […]
  • 7. RoR – Model ● Located in $railsapp/app/models 1 class User < ActiveRecord::Base 2   has_many :posts 3   verifies_presence_of :name 4   verifies_uniqueness_of :name 5 end
  • 8. RoR – View ● Located in $railsapp/app/views ● Typically written in ERB ● Mixture of HTML and Ruby 01 <% if @posts.blank? %> 02   <p>There are no posts yet.</p> 03 <% else %> 04   <ul id="posts"> 05   <% @posts.each do |c| %> 06     <li><%= link_to c.title, {:action => 'show', :id => c.id} =%></li> 07   <% end %> 08   </ul> 09 <% end %> 10 <p><%= link_to "Add new Post", {:action => 'new' }%></p>
  • 10. Reading the code and (ab)using the webapp
  • 11. RoR – Reading the Code ● Ruby tends to be easy to read, so does RoR ● There are at least three layers (MVC) ● All layers have to be covered when reading the source code (for finding bugs) ● Additionally, there's libs, helpers, etc. ● There might be checks somewhere you don't expect ● There might be bugs somewhere you don't expect
  • 12. RoR – Database ● Database is configured in ● $railsapp/config/database.yml ● Migrations are used to describe the database tables (in Ruby) ● These are then deployed on the database using rake
  • 13. RoR – Migrations ● Example taken from Redmine ● db/migrate/001_setup.rb create_table "users", :force => true do |t|   t.column "login", :string, :limit => 30, :default => "", :null => false   t.column "hashed_password", :string, :limit => 40, :default => "", :null => false   t.column "firstname", :string, :limit => 30, :default => "", :null => false   t.column "lastname", :string, :limit => 30, :default => "", :null => false   t.column "mail", :string, :limit => 60, :default => "", :null => false   t.column "mail_notification", :boolean, :default => true, :null => false   t.column "admin", :boolean, :default => false, :null => false […]  
  • 14. RoR - Filters ● Filter example taken from Redmine ● app/controllers/issues_controller.rb 1 class UsersController < ApplicationController 2   layout 'admin' 3 4   before_filter :require_admin, :except => :show
  • 15. RoR – Filters ● So mainly, there are ● before_filter ● after_filter ● skip_before_filter ● skip_after_filter ● around_filter
  • 16. RoR – User Input ● Look for params[:something] in the controller ● Take a look at the model/migration/DB to know which fields you might potentially influence ● Post it like: something=foo ● params[:something][:bar] is posted like something[bar]=foo
  • 17. RoR – User Input ● RoR also takes automagically user input as ● XML – Post with Content-Type text/xml: <user>   <firstname>chunky</firstname> </user> ● JSON – Post with Content-Type application/json: {     User:{         lastname:'bacon'     } }
  • 18.
  • 20. The Usual Web Application Suspects ● SQL Injection ● XSS ● CSRF
  • 21. SQL Injection the RoR way ● Rarely found ● Per se, RoR hides away plain SQL – User.where(:first_name => “Chunky”, :last_name =>  “Bacon”) ● Look for the typical concatenation patterns 1 def sqlinjectme 2  User.find(:all, :conditions => "id = #{params[:id]}") 3 end ● Unfortunately stacked queries do not work
  • 22. XSS the RoR way ● In order to find XSS bugs ● Look at the views – <%= @post.title %> vs. – <%= h @post.title %> ● Look at formatters ● Just try to find XSS scripted/manually
  • 23. Redmine persistent XSS ● Somewhat hard to spot ● Found it by chance ;) ● Problem in the syntax highlighter: ● lib/redcloth3.rb
  • 25. CSRF ● There is some RoR magic to protect_from_forgery: 1 class FooController < ApplicationController 2   protect_from_forgery :except => :index   
  • 26. To be a bit more specific
  • 27. Bugs the RoR way ● Rails has a lot of fancy automagic ● … which might eventually blow up in your face ● “Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris.” – Larry Wall
  • 28. Automagic – Mass Assignments ● When there is an assignment like ● user[name] = “Chunky Bacon” ● This is typically saved with ● 1 user = @params[:user] ● 2 user.save
  • 29. Automagic – Mass Assignments ● When there is an assignment like ● user[name] = “Chunky Bacon” ● This is typically saved with ● 1 user = @params[:user] ● 2 user.save ● So what if you posted ● user[name]= “Chunky Bacon” ● user[admin]= true
  • 30. Mass Assignment – CCC Website ● CCCMS – “feature” allowing regular users promoting themselves to admin 1 def update 2   3  if @user.update_attributes(params[:user]) […] 
  • 31. Mass Assignment – CCC Website ● CCCMS – patch preventing regular users promoting themselves to admin 1 def update 2  params[:user].delete(:admin) unless current_user.is_admin? 3  if @user.update_attributes(params[:user]) […] 
  • 32. Preventing Mass Assignments ● To be fixed in the model ● Example taken from Redmine: 1 class User < Principal […] 2   attr_protected :login, :admin, […] 
  • 33. Laziness – Infoleaks ● All those fanciness of RoR doesn't help against lazy developers ● If you're having a second controller accessing a model, you have to implement proper filters as well
  • 34. Redmine – Journals Infoleak ● Leaks info about issue descriptions, even if they are not visible to the current user ● app/controllers/journals_controller.rb 1 class JournalsController < ApplicationController 2   before_filter :find_journal, :only => [:edit] 3   before_filter :find_issue, :only => [:new] 4   before_filter :find_optional_project, :only => [:index] 5 […]
  • 35. Redmine – Journals Infoleak ● Leaks info about issue descriptions, even if they are not visible to the current user ● app/controllers/journals_controller.rb 1 class JournalsController < ApplicationController 2   before_filter :find_journal, :only => [:edit] 3   before_filter :find_issue, :only => [:new] 4   before_filter :find_optional_project, :only => [:index] 5   before_filter :authorize, :only => [:new, :edit] […]
  • 36. Digging a bit deeper
  • 37. Digging a bit deeper ● There is more than just the MVC code ● $railsapp/lib/ ● $railsapp/vendor/plugins ● $railsapp/app/helpers ● There is RoR code itself
  • 38. Redmine – SCM Adapters ● app/controllers/repositories_controller.rb 1 before_filter :find_repository, :except => :edit […]   2 def diff 3   if params[:format] == 'diff' 4   @diff = @repository.diff(@path, @rev, @rev_to) […] 5 def find_repository […] 6   @rev = params[:rev].blank? ? @repository.default_branch :       params[:rev].strip
  • 39. Redmine – SCM Adapters ● lib/redmine/scm/adapters/bazaar_adapter.rb 1  def diff(path, identifier_from, identifier_to=nil) 2    path ||= '' 3    if identifier_to 4      identifier_to = identifier_to.to_i 5    else 6      identifier_to = identifier_from.to_i ­ 1 7    end 8    cmd = "#{BZR_BIN} diff                                 ­r#{identifier_to}..#{identifier_from}          #{target(path)}"
  • 40. Redmine – Command Execution ● http://redminehost/projects/ $project/repository/diff/?rev=`cmd`
  • 41. XXX¹ ● Open Source Rails app ● Developed by xxx.com ● Was suspicious to me due to heavily using send statements on user input ● send(symbol, [args...]) ● Invokes the method identified by symbol, passing it any arguments specified. ● Allows private methods to be called ¹) sorry had to censor this
  • 42. send, my new best friend ● In XXX's controllers I didn't find anything directly exploitable :-( ● But then a search helper lib got my attention: ● some/lib/path/search.rb: 01 values.each do |condition, value| 02   mass_conditions[condition.to_sym] = value 03   value.delete_if { |v| ignore_value?(v) } if value.is_a?(Array) 04   next if ignore_value?(value) 05   @current_scope = @current_scope.send(condition, value)
  • 43. send, my new best friend ● How about: GET /triggerpath?search[instance_eval]= %60touch%20%2ftmp%2fcommand_exec%60  HTTP/1.1 ● Or just msfupdate in a couple of days ;-)
  • 44. Rails itself ● Of course, there is the RoR code itself ● Didn't look into it deeply enough (yet)
  • 45. Security Mechanisms – CSRF Tokens ● Short recap: ● protect_from_forgery ● But wait a minute ● Thumbs up to Felix Gröbert (Google Sec. Team) – CVE-2011-0447 – Fixed in Rails 3.0.4
  • 46. Security Mechanisms – CSRF Tokens ● actionpack/lib/action_controller/metal/request_forgery_protectio n.rb 1  def verified_request? 2    !protect_against_forgery? ||request.forgery_whitelisted? || 3    form_authenticity_token == params[request_forgery_protection_token] 4  end ● actionpack/lib/action_dispatch/http/request.rb 5  def forgery_whitelisted? 6    get? || xhr? || content_mime_type.nil? ||      !content_mime_type.verify_request? 7  end
  • 47. Security Mechanisms – CSRF Tokens ● actionpack/lib/action_dispatch/http/mime_type.rb 1  def verify_request? 2    @@browser_generated_types.include?(to_sym) 3  end ● With 4 @@browser_generated_types = Set.new [:html,    :url_encoded_form,:multipart_form, :text]
  • 48. RoR Generic CSRF Protection Bypass
  • 49. RoR Generic CSRF Protection Bypass ● Post to yoursite.com with flash¹ ● Let yoursite.com redirect via 307 to target.com ● Supply application/json with proper json params ● authenticity_token should also be present (arbitrary string) ● Resend popup in Firefox ¹) Cross-domain POST header manipulation details: http://bit.ly/hc65g3
  • 50. Session Cookies ● Session cookie holds all session information ● Accessed like: session[:user_id] ● _twitter_sess=$base64blob­­$sha1hmac
  • 51. Session Cookies ● Can be loaded after base64 decoding with ● Marshal.load token ● => {:logged_in_after_phx_default=>false,  :created_at=>1293669570258, :in_new_user_flow=>nil,  :show_help_link=>nil, :user=>19395266,  :password_token=>"censored",  "show_discoverability_for_joernchen"=>nil,  "flash"=>{}, :id=>"censored", :csrf_id=>"censored"}
  • 52. Some Thoughts on Session Cookies ● Looked at the RoR handling of Session Cookies → looked fine to me ● Maybe you find something I missed ● But keep in mind: ● What has been HMACed can't be un-HMACed
  • 53. What has been HMACed ● A fictional example of some RoR controller: 01 def grant_token # called only once for a user 02   session[:token] = true 03 end 04 def invalidate # called in do_the_magic 05   session[:token] = false 06 end 07 def check # check if user has used token 08   if session[:token] == true 09     do_the_magic 10   else 11     do_not_do the magic 12   end 13 end
  • 54. What has been HMACed ● The before made example is vulnerable to simple replay attacks ● Once you have a HMACed session cookie with special capabilities in a naïve implementation noone stops you from reusing that cookie. ● Simple experiment: ● Go to twitter.com and login (without “Remember Me”). ● Save your _twitter_sess cookie ● Logout ● Restore the _twitter_sess cookie ● Be logged in again :-)
  • 55. Outro
  • 56. Kudos to Jean-Philippe Lang ● Initial notification of ● Infoleak issue ● Persistent XSS ● Multiple CMD-Exec bugs ● ~ 2:00 PM ● Respone “I'll fix it and let you know” ● ~ 6:00 PM ● Response “It's fixed and there will be a new release tomorrow” ● ~ 8:00 PM ● 2h for a complete fix. ● So in case you use Redmine ● Update at least to version 1.0.5 =)
  • 57. Thanks for Listening Any Questions?
  • 58. Cheers ● astera <3 ● all @ ● xilef ● ● opti ● Recurity Labs ● Zynamics (RIP ;-)) ● til ● Das Labor ● tina ● Timecoderz ● Dangerous Drums ● HES-Orga