2013 Ruby on Rails Exploits. CS 558 Allan Wirth



Similar documents
Pentesting Web Frameworks (preview of next year's SEC642 update)

June 10, 2015 Josh Bradley, Arctic LCC Stan Smith, USGS

MCAFEE FOUNDSTONE FSL UPDATE

Mobility Information Series

XML Processing and Web Services. Chapter 17

ITP 140 Mobile Technologies. Mobile Topics

4/25/2016 C. M. Boyd, Practical Data Visualization with JavaScript Talk Handout

Whitepapers at Amikelive.com

Attacking MongoDB. Firstov Mihail

A benchmark approach to analyse the security of web frameworks

PL/JSON Reference Guide (version 1.0.4)

Open is as Open Does: Lessons from Running a Professional Open Source Company

Enterprise Mobile Solutions

Performance Testing for Ajax Applications

Smartphone Application Development using HTML5-based Cross- Platform Framework

The Dark Side of Ajax. Jacob West Fortify Software

Server-Side JavaScript Injection Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team July 2011

Web Application Attacks And WAF Evasion

Copyright: WhosOnLocation Limited

Cross Site Scripting Prevention

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Web 2.0 Technology Overview. Lecture 8 GSL Peru 2014

Lucy Zhang UI Developer Contact:

Software Requirements Specification

ActiveX AJAX ASP. AudioMP3

Mobile App Framework For any Website

Using Ruby on Rails for Web Development. Introduction Guide to Ruby on Rails: An extensive roundup of 100 Ultimate Resources

Penetration Test Report

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

Maltego Tungsten as a collaborative attack platform BlackHat 2013

REDCap Technical Overview

tibbr Now, the Information Finds You.

A Model of the Operation of The Model-View- Controller Pattern in a Rails-Based Web Server

Pre-authentication XXE vulnerability in the Services Drupal module

Ruby on Rails Secure Coding Recommendations

Value Added Services (VAS) - Mobile Applications Business Cases

Integration the Web 2.0 way. Florian Daniel April 28, 2009

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

REDCap General Security Overview

The Impact of Computer Engineering 1. The Impact of Computer Engineering Oakland University Andrew Nassif 11/21/2015

Lecture 15 - Web Security

Everything is Terrible

Check list for web developers

Why NoSQL? Your database options in the new non- relational world IBM Cloudant 1

A Network Administrator s Guide to Web App Security

Web Design Technology

XEP-0043: Jabber Database Access

WHITEPAPER. Nessus Exploit Integration

Attack and Penetration Testing 101

Version Control Your Jenkins Jobs with Jenkins Job Builder

REST web services. Representational State Transfer Author: Nemanja Kojic

Offerte del 13 giugno 2014

Implementing Mobile Thin client Architecture For Enterprise Application

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Penetration Testing The Red Pill

WEB SERVICES FOR MOBILE COMPUTING

Shellshock. Oz Elisyan & Maxim Zavodchik

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Dasharatham Bitla (Dash)

Software Defined Networking Security

Chapter 13 Computer Programs and Programming Languages. Discovering Computers Your Interactive Guide to the Digital World

Database Management System Choices. Introduction To Database Systems CSE 373 Spring 2013

Security Guide SAP GUI for Windows

Traitware Authentication Service Integration Document

Testing Web Applications for SQL Injection Sam Shober

Web Application Security

Team Members: Christopher Copper Philip Eittreim Jeremiah Jekich Andrew Reisdorph. Client: Brian Krzys

How to Grow and Transform your Security Program into the Cloud

Cloud Powered Mobile Apps with Microsoft Azure

Data XML and XQuery A language that can combine and transform data

Introducing Apache Pivot. Greg Brown, Todd Volkert 6/10/2010

ICE Trade Vault. Public User & Technology Guide June 6, 2014

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

NCS 430 Penetration Testing Lab #2 Tuesday, February 10, 2015 John Salamy

COMPUTER SCIENCE (AS) Associate Degree, Certificate of Achievement & Department Certificate Programs

WE BUILD ONLINE SYSTEMS USEFUL WEB & MOBILE APPLICATIONS

What is a CMS? Why Node.js? Joel Barna. Professor Mike Gildersleeve IT /28/14. Content Management Systems: Comparison of Tools

Tushar Dalvi Sr. Security Engineer at LinkedIn Penetration Tester. Responsible for securing a large suite mobile apps

Short notes on webpage programming languages

APP DEVELOPMENT ON THE CLOUD MADE EASY WITH PAAS

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

WPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies"

A Plan for the Continued Development of the DNS Statistics Collector

CHAPTER 24 Communicating with the Web

Adobe Flash Player and Adobe AIR security

Chapter 12: Advanced topic Web 2.0

Transcription:

2013 Ruby on Rails Exploits CS 558 Allan Wirth

Background: Ruby on Rails Ruby: Dynamic general purpose scripting language similar to Python Ruby on Rails: Popular Web app framework using Ruby Designed for rapid and easy development Used by sites such as Twitter, Github, Basecamp, Scribd, and Groupon Has become very popular in the past few years. About 2% of the top 10,000 websites use Ruby on Rails. Comes with every Mac OS X computer since 10.7 (Mountain Lion)

Background: XML XML (Extensible Markup Language): Very popular humanreadable data serialization format. Used to transfer data from one program to another in a platform agnostic fashion. Core markup language for many formats, such as: XHTML Used for Web Pages Open Office XML Document Format for Microsoft Office 2007+ XMPP Google Chat, Facebook Chat, Jabber Nearly all web API services support XML data (such as the Twitter, Facebook, Tumblr and Reddit APIs) Example: <message>hello World!</message>

Background: JSON / YAML JSON: JavaScript Object Notation Designed to be a simplistic human-readable data serialization using familiar JavaScript syntax Example: { } "first_name": "Allan", "last_name": "Wirth", "major": "Computer Science" YAML: YAML Ain't Markup Language Designed to be a human readable data serialization language. JSON is supported as a strict subset of YAML.

Exploit: Ruby YAML implementation Under normal conditions, the only types returned by YAML parsing are generic types such as integers, lists and dictionaries. The Ruby YAML implementation allows encoding of arbitrary object formats. When deserialized, the object will be constructed with the provided parameters. Example: ---!ruby/array:array - apples - pears Useful for automagic serialization of user defined types Not inherently dangerous, as long as run on trusted input. If an attacker s input is interpreted as YAML, they can instantiate arbitrary objects by name. For example, an attacker could instantiate a class representing an SQL statement to run custom queries against the database.

Exploit: Rails Deserialization Rails will automagically deserialize incoming requests that contain JSON or XML parameters. It does not do this for YAML, because it would be unsafe. However, the XML parser interprets elements in the form <foo type= yaml > </foo> as YAML documents. This can be used by an attacker to have the YAML interpreter interpret malicious YAML code. Furthermore, the JSON parser simply uses the YAML parser as the backend. This can be used to get the YAML interpreter to interpret client-defined YAML documents.

Exploit: Rails Code Execution By using one of the aforementioned methods, an attacker can obtain YAML processing and instantiate arbitrary objects on the server. By finding an object that will execute code on instantiation, the attacker can run whatever they want. The class ActionDispatch::Routing::RouteSet::NamedRouteColle ction allows for this sort of execution. Example: ---!ruby/hash:actiondispatch::routing::routeset::namedroutecollection "foo; eval(puts '=== hello there'.inspect);":!ruby/object:openstruct table: :defaults: {}

Impact Both exploits allowed arbitrary code execution on any website running any Rails release for the past 6 years. The exploit had 100% reliability. XML vulnerability released Tuesday, January 8 th, 2013 JSON vulnerability released Monday, January 28 th, 2013 Both vulnerabilities were patched within the same day as release. A few large sites that were not patched quickly enough were attacked, such as rubygems.org and Bitcoin exchange Vircurex where an undisclosed sum of Bitcoins were stolen. Both vulnerabilities were rolled into Metasploit.

Questions?

References Ruby on Rails: http://rubyonrails.org/ Ruby: http://www.ruby-lang.org/en/ JSON Parser Vuln Release: https://groups.google.com/forum/?fromgroups=#!topic/rubyonr ails-security/1h2dr63vigo CVE-2013-0333 write-up: http://micrmsoft.blogspot.com/2013/01/cve-2013-0333-rubyon-rails-json-parser.html Anatomy of an Exploit: http://rubysource.com/anatomy-of-anexploit-an-in-depth-look-at-the-rails-yaml-vulnerability/ XML Vuln Release: http://www.kb.cert.org/vuls/id/380039 Ruby Exploit Recap: http://trends.builtwith.com/framework/ruby-on-rails

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information