Thursday, January 10, 2013

The Ruby on Rails vulnerability that made Metasploit release a patch

This post on the Ruby on Rails Security group January 8th contained a few phrases that cause alarm when used together: "inject arbitrary SQL", "inject and execute arbitrary code" and "perform a DoS attack on a Rails application". Without going into detail the post discussed how user-provided YAML and Symbol data could be crafted to exploit Rails applications and given the identifier CVE-2013-0156.

Rails is used in many projects, including one of the most widespread pentesting frameworks available, Metasploit. Within hours of the post, Metasploit had a security update published for itself (2013010202) and was actively looking into creating a module for exploitation.

The only information to go with before the PoC was released was that Rails could take YAML or Symbol input through xml that could potentially be abused. The worry was that specifying arbitrary classes for string and hash YAML objects would allow attackers to find unsafe objects to abuse with malicious input.

Blog posts explaining the vulnerability have already been published such as this one by Ronin and this one by Adam O'Donnell from Sourcefire's FireAMP group. PoCs have also popped up, the most notable being this one on github and of course the Metasploit module that was rushed through overnight.

We here at the VRT started paying attention to this as soon as the first post came out on Google Groups, and with the help of Christopher Mcbee we wrote SIDs 25287 and 25288 to detect CVE-2013-0156, namely abusing YAML or Symbol object parameter passing to Rails via xml. They will be released in our next SEU, which is targeted for today.
Add to Technorati Favorites Digg! This

2 comments:

Brian Buchalter said...

I wrote this supplemental post to pull together a few other sources and provide a step by step guide to scanning and securing: Use to Metasploit to Verify Rails is Secured from CVE-2013-0156. Thanks for your coverage of this important issue!

Jay Dee said...

Most common system requirements are Ruby on Rails Framework software, Database such as MySQL, Oracle, DB2, SQL server GUI client for Windows.