Guest post:
If you’re running Ruby on Rails CVE-2013-0156 but haven’t patched your server yet, what are you waiting for?
Nothing good lasts forever, and as it must to all good things, an attack has come to the framework of Ruby on Rails, one of the Internet’s more popular open-source Web development applications. The exploit first surfaced in January of 2013, and those who have not yet applied the available patches could be in for trouble.
By the time the first warnings appeared, developers had already introduced the earliest fixes, but a large number of users paid no attention. Many who failed to heed the call soon had reason to regret their inattention to this vital detail.
The Exploit’s Insidious Methods
An inherent vulnerability allows the Rails hacker to infiltrate crontab with a command that remotely downloads, compiles and executes a C source file that has the ability to carry out commands. As a safeguard against compilation failure, it also downloads a pre-compiled version of the same file. The malware then sets up an IRC bot that generates a nine-character, randomly determined nickname and uses it to connect to an IRC server. From this location, it enters the #rails channel and sits awaiting further instruction.
Once connected, the bot will follow the hacker’s every command. It will download and execute malicious files. At its worst, it may even switch the user’s server.
The Roots of the RoR Problem
Ruby on Rails makes extensive use of the JSON processor’s YAML deserialization format for reading the server’s configuration files. Its vulnerability to an arbitrary instantiation of a Ruby object allows the Rails hacker to bypass authentication and connect directly to the server. In addition, RoR’s automatic parameter-parsing capabilities permit the casting of data string values to other data types. Inherent in versions 3.0 and earlier, this flaw opens the door to any attacker intent on harming a Ruby on Rails application.
Once in, the hacker can execute poisonous code or even instigate an actual denial of service. He can also inject sinister SQL queries to extract sensitive information from a website’s database. By permitting the remote execution of system commands, the exploit allows any misguided individual to compromise the integrity of numerous websites with little difficulty.
The Risks for Users Who Fail to Patch
Although the readily available patches present an easy solution to the problem, many have failed to make use of them. This is due in part to RoR’s excellent record of accomplishment for security. Most of its users are not professional developers and may be unaware of the need to keep abreast of recommended updates. Many become so comfortable with the version they are currently using that they resist making changes of any kind. Others fear that the installation of such updates might actually upset an otherwise well-balanced apple cart.
When it comes to ignoring security patches, however, this very complacency can leave a website wide open to a serious malware infestation. The end result: a rampant exploitation that wreaks malevolent havoc on numerous developers and web hosts.
What the User Can Do
To protect against such malicious attacks, it is vital for any Ruby on Rails developer to remain aware of and apply all updates and patches as soon as they appear. Experts also advise checking to ensure that systems can be rebuilt without the need of access to such things as Github and Rubygems. The up-to-date user should be sure to:
- Take proactive steps to maximize security.
- Minimize the use of tech stacks, keeping abreast of security updates for each.
- Maintain an updated list of all applications.
- Take all recommended security measures.
Fortunately, where Ruby on Rails is concerned, the white hats appear to outnumber the black hats, and the good guys are constantly at work in securing and strengthening the application while taking pains to keep users informed of new developments and patches. All that must happen now is for users to pay attention to what they’re saying and, most importantly, to take their advice.
About the Author
This article was written by James Younger, a security Subject Matter Expert from Advanced Security by TrainACE. Advanced Security is a training company that provides classes in cutting edge areas of Cyber Security including Exploit Development, Python for Security and Ruby on Rails.