Ruby on Rails (RoR) is an open source full-stack web application framework for the Ruby programming language. Ruby on Rails emphasizes the use of well-known software engineering patterns and principles, such as “Active record pattern”, “Convention over Configuration”, “Don’t Repeat Yourself” and “Model-View-Controller”.

During the past weeks several RoR vulnerabilities have emerged. The first is an SQL injection attack. By utilizing two different vulnerabilities, CVE-2012-6496 and CVE-2012-6497, an attacker could inject and execute arbitrary SQL queries. However, in order to perform SQL injection the attacker needs to tamper the cookie. This makes attacking and detecting attacks difficult since both require understanding of session secret (cracking the HMAC key).

The second is a remote code execution vulnerability (CVE-2013-0156). The vulnerability is due to a design error when deserializing user-provided YAML (“YAML Ain’t Markup Language”, a data serialization format) strings; eventually the module_eval() function will execute parsed YAML strings which allows execution of shell commands. An attacker could exploit this vulnerability by sending crafted POST requests to the RoR server. Successful exploitation will result in arbitrary code execution within the context of web service.

Dell SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting CVE-2013-0156. The signatures are listed below:

• 9486 Ruby on Rails SqlLiteral SQL Injection

• 9487 Ruby on Rails Remote Code Execution 1

• 9488 Ruby on Rails Remote Code Execution 2

Over the past week Dell SonicWALL has observed several instances of exploit attempts targeting CVE-2013-0156 however the volume is very low.