Experts warn of Ruby on Rails exploits

Researchers have warned of a remote execution exploit for dangerous Ruby on Rails flaws that were the subject of two "extremely critical" fixes this week.

Maintainers of the Ruby on Rails framework issued two patches in the past week to fix a critical hole that could allow attackers to compromise applications.

The "two extremely critical security fixes" closed off parameter parsing flaws present in all versions of Ruby on Rails which allows attackers to bypass authentication and execute arbitrary code in Rails apps.

"Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work-arounds immediately," an advisory stated.

Security researcher Ben Murphy said a proof of concept attack had been developed for all versions of Rails for the last six years, but had not yet been made public.

"An attacker can execute any ruby code he wants including system (unix command)," Murphy he wrote in a forum comment. "This affects any rails version for the last six years.

"I've written POCs for Rails 3.x and Rails 2.x on Ruby 1.9.3, Ruby 1.9.2 and Ruby 1.8.7 and there is no reason to believe this wouldn't work on any Ruby/Rails combination since when the bug has been introduced.

"The exploit does not depend on code the user has written and will work with a new rails application without any controllers."

More than 200,000 Rails-based web sites are potentially at risk from attack, according to trend website BuiltWith, first reported by Ars Technica.

Metaspolit developer HD Moore detailed the mechanics of the flaw in a blog post, including a local proof-of-concept exploit for Distributed Ruby (DRb) installations, and said a module would likely be developed within days.

Developer Felix Wilhelm has offered more details into the vulnerability but did not list a working proof of concept exploit.

Copyright © SC Magazine, Australia