By Daniel Peck – Research Scientist
In the last few days several significant vulnerabilities have been reported and patched in Ruby on Rails, a popular web application framework. You honestly should stop reading this now and get your systems patched up. Rails applications should be patched up to 3.2.11, 3.1.10, 3.0.19, or 2.3.15 depending on what branch your on. Go fix it now, I’ll wait…
The precise details of exploitation are still a little fuzzy, but as I write this a public exploit is a few hours away from being published and it is likely that private ones already exist. We do know that it affects all versions of RoR from the last 6 years, and that there are an awful lot of sites built in that time frame powered by rails. As rails is just now catching on in the large enterprise space it is likely that many larger businesses will not be affected, but countless smaller organizations, and units within larger businesses that work with more cutting edge technologies are very likely to have an RoR exposed on the internet somewhere. As a colleague said on Twitter, ‘rails joined the “popular enough to care about exploiting” club.’
As to the vulnerability itself, essentially a POST containing XML with an element of the type “yaml”. YAML is a serialization format popular in the Ruby community, and when this yaml element is deserialized a object instance is created from it. Given the dynamic nature of the language, the framework, and hackers anything is possible from that point.
There are several writeups that point to the exploitation methods without providing complete details, one of the better ones here.
You can read the advisory itself on the rails security list.
Many will point to this vulnerability as a reason not to use Rails, and theres likely some substance to that, but less because of the framework itself and mostly because many web app owners see them as fire and forget. It would be nice if that were the case, but with the benefits of a web framework and the speed at which it allows you to create your app come some drawbacks. One, is being part of a roughly homogeneous group of websites that are likely about to be or already are being targeted with “spray and pray” type exploits.