An exploit has surfaced in the wild that is building a botnet of Internet Relay Chat servers using a five-month old vulnerability in Ruby on Rails.
Two patches were issued that closed off "extremely critical" parameter parsing flaws present in all versions of Ruby on Rails which could allows attackers to bypass authentication and execute arbitrary code in Rails apps.
"It's pretty surprising that it's taken this long to surface in the wild, but less surprising that people are still running vulnerable installations of Rails," security consultant Jeff Jarmoc said in a blog. "It also appears to be affecting some web hosts."
The exploits are being launched for IP addresses that trace to Germany, Russia and Ukraine.
"Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers," Jarmoc wrote.
The "pretty straightforward skiddy exploit" built an IRC bot that connected to a known malicious host and joined the #rails channel without the use of a channel key.
It executed only once on an infected host.
"There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands."
- With Darren Pauli