Ruby on Rails Vulnerabilities (Jan 16, 2013)


Ruby on Rails (RoR) is an open source full-stack web application framework for the Ruby programming language. Ruby on Rails emphasizes the use of well-known software engineering patterns and principles, such as “Active record pattern”, “Convention over Configuration”, “Don’t Repeat Yourself” and “Model-View-Controller”.

During the past weeks several RoR vulnerabilities have emerged. The first is an SQL injection attack. By utilizing two different vulnerabilities, CVE-2012-6496 and CVE-2012-6497, an attacker could inject and execute arbitrary SQL queries. However, in order to perform SQL injection the attacker needs to tamper the cookie. This makes attacking and detecting attacks difficult since both require understanding of session secret (cracking the HMAC key).

The second is a remote code execution vulnerability (CVE-2013-0156). The vulnerability is due to a design error when deserializing user-provided YAML (“YAML Ain’t Markup Language”, a data serialization format) strings; eventually the module_eval() function will execute parsed YAML strings which allows execution of shell commands. An attacker could exploit this vulnerability by sending crafted POST requests to the RoR server. Successful exploitation will result in arbitrary code execution within the context of web service.

Dell SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting CVE-2013-0156. The signatures are listed below:

  • 9486 Ruby on Rails SqlLiteral SQL Injection
  • 9487 Ruby on Rails Remote Code Execution 1
  • 9488 Ruby on Rails Remote Code Execution 2

Over the past week Dell SonicWALL has observed several instances of exploit attempts targeting CVE-2013-0156 however the volume is very low.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.