Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Researchers have warned of a remote execution exploit for dangerous Ruby on Rails flaws that were the subject of two "extremely critical" fixes this week.
The parameter-parsing flaws are present in all versions of Ruby on Rails and allow attackers to bypass authentication and execute arbitrary code in Rails apps.
Ruby on Rails maintainers warned of "multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application".
Security researcher Ben Murphy said a proof of concept attack had been developed for all versions of Rails for the last six years, but had not yet been made public.
"An attacker can execute any ruby code he wants including system (unix command)," Murphy he wrote in a forum comment. "This affects any rails version for the last six years.
"I've written POCs for Rails 3.x and Rails 2.x on Ruby 1.9.3, Ruby 1.9.2 and Ruby 1.8.7 and there is no reason to believe this wouldn't work on any Ruby/Rails combination since when the bug has been introduced.
"The exploit does not depend on code the user has written and will work with a new rails application without any controllers."
More than 200,000 Rails-based web sites are potentially at risk from attack, according to trend website BuiltWith, first reported by Ars Technica.
Metaspolit developer HD Moore detailed the mechanics of the flaw in a blog post, including a local proof-of-concept exploit for Distributed Ruby (DRb) installations, and says a module will likely be developed within days.
"Stay tuned for more information on this flaw and more than likely a Metasploit module or two in the coming days," Moore wrote.
Developer Felix Wilhelm has offered more details into the vulnerability but did not list a working proof of concept exploit.
Sourcefire chief architect and PhD Adam J O'Donnell said a worm could emerge to target the vulnerabilities but such a threat would be overshadowed by more stealthy attacks.
"The worst case situation is that attackers use the vulnerability to silently compromise massive numbers of vulnerable websites, grab everything from the database, and install persistent backdoors in the infrastructure of every organisation running the vulnerable code," O'Donnell wrote.
"They could also silently post a client-side exploit that targets people who come to that site, commonly known as a watering hole attack.
"A worm would likely force everyone to fix their infrastructure immediately, while silent exploitation may not be as motivating."
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
