Exploits for Ruby on Rails holes now in circulation
Since the reports of a critical vulnerability in Ruby on Rails, the first exploits have begun circulating and the first reports of hijacked web servers are already coming in. The hole is extremely dangerous as it affects a very large number of applications and servers. Anyone who administers a server with a Rails application should urgently take action and either install the updated version or at least make changes which provide temporary protection.
The updates published on Wednesday eliminate two errors which have been designated CVE-2013-0156 and CVE-2013-155, with the former being classified as critical. The underlying vulnerability allows for code to be injected into the server and executed with the privileges of the attacked Rails application. The problem lies in the way Rails accepts data from the user and an attacker need only send data as a POST request to an application in order to exploit it. The problem affects all environments where the XML parser is active, which, by default, it is.
The first workaround is to disable the XML parser, but this leads to problems if the application needs to process XML input. For those cases, the Rails security advisory shows how to disable the problematic YAML and Symbol support in the XML parser.
A better solution is to update the runtime environment to a current version. Only current Ruby on Rails versions – 3.2.11, 3.1.10, 3.0.19 and 2.3.15 – are immune to the problem. The demo exploit describes in some detail how the errors occur and how they can be exploited. Since this is already available as a module for the Metasploit framework, people without explicit programming skills can take advantage of the hole. Updating all Ruby on Rails installations should therefore be done as the highest priority.