Rails developers close another "extremely critical" flaw
The Rails developers have released Ruby on Rails 3.0.20 and 2.3.16 which contain one, and only one, "extremely critical security fix". The problem only affects Rails 3.0.x and 2.3.x with Rails 3.1.x and 3.2.x not affected. Users of the 2.3 and 3.0 branches are advised to update as soon as possible, or to apply patches if they cannot upgrade. If they cannot do that either, a workaround of setting
ActiveSupport::JSON.backend = "JSONGem"
in the application's initialisation code will, at least, prevent the vulnerable code from being called.
The problem is related to the flaw discovered earlier this month where the XML formatted parameters could include YAML serialised data which, when deserialised, would create live objects within the server which could be used to exploit it. The exploit went wild quickly and a number of servers were compromised.
With that bug fixed, researcher Hal Brodigan went looking for other code paths which might lead to similar issues and found one with text/json requests. A description of the problem accompanies a proof of concept and it explains how, in Rails 3.0.x, those text/json requests can be translated into and parsed as YAML. Rails 3.0.x's ActiveSupport JSON parser is actually a proxy to a selection of JSON parsing libraries, and one of the backends, yaml, works by translating the JSON to YAML before trying to use the YAML.load method.
The backend is described as "incredibly naive" in how it converts JSON to YAML in the function convert_json_to_yaml using the StringScanner class, as it does not validate the input as proper JSON. By exploiting this, it is possible to create JSON which converts into dangerous YAML.
According to Brodigan, finder of the flaw, the underlying problem which was not fixed in the original patches, was that the Psych YAML parser lacks a safe mode and developers who allow user input near YAML.load continue to run the risk of being tricked into deserialising arbitrary classes. He points to SafeYAML, which does have a safe-mode and stops his proof of concept working. There is also a monkey-patch available which stops non-primitive objects from being deserialised and is also effective against the PoC.