Multiple vulnerabilities in parameter parsing in Action Pack

An attacker can execute any ruby code he wants including system("unix command"). This effects any rails version for the last 6 years. I've written POCs for Rails 3.x and Rails 2.x on Ruby 1.9.3, Ruby 1.9.2 and Ruby 1.8.7 and there is no reason to believe this wouldn't work on any Ruby/Rails combination since when the bug has been introduced. The exploit does not depend on code the user has written and will work with a new rails application without any controllers.<p>Here is the commit where it was introduced: <a href="https://github.com/rails/rails/commit/27ba5edef1c4264a8d1c0e54675723d37a391dd8#L5R133" rel="nofollow">https://github.com/rails/rails/commit/27ba5edef1c4264a8d1c0e...</a>

I'm just commenting here so that people can have a central thread for love / hatred. ;-)<p>But seriously. This is extremely critical, please upgrade!

This vulnerability is also present in other other Ruby libraries. I would advise anyone to do bundle install --deployment in there development environment then 'grep -r "YAML::load"' and 'grep -r "YAML.load"' in the vendor/bundle directory. If you have YAML::load(user_controlled_value) or YAML.load(user_controlled_value) then you might be vulnerable to remote code execution. There are some other ruby libraries that are vulnerable to this attack but I don't want to post about them until their authors have fixed them.

I don't use Rails, and read up on the vulnerabilities. Here's a quick summary:<p>1. This class of problems is not unique to Ruby.<p>2. Similar problems have been identified in Struts, and python's pickle.<p>3. Specifically in this case, YAML.load() can deserialize unintended object types. In the case of Struts the problem was the expression library used can also deserialize unintended object types (like File), plus setting properties on these types can have side effects (such as dropping files into your system).<p>4. I took a look at Microsoft's WCF. The DataContractSerializer states that it only is allowed to load types that are specified by a contract. <a href="http://msdn.microsoft.com/en-us/library/vstudio/ms733135(v=vs.90).aspx" rel="nofollow">http://msdn.microsoft.com/en-us/library/vstudio/ms733135(v=v...</a> This should be the gold standard. In addition, it warns that even loading XML documents can be dangerous if we then load remote DTDs for validation.<p>5. For the old salts, remoting or RMI have similar issues - both mitigated by restricting the types that can be deserialized. <a href="http://msdn.microsoft.com/en-us/library/5dxse167(v=vs.71).aspx" rel="nofollow">http://msdn.microsoft.com/en-us/library/5dxse167(v=vs.71).as...</a><p>6. Here's another vulnerability which targets serialization <a href="http://wouter.coekaerts.be/2011/spring-vulnerabilities" rel="nofollow">http://wouter.coekaerts.be/2011/spring-vulnerabilities</a><p>In summary,<p>1. all deserializers should be viewed with suspicion.<p>2. A deserializer which does not implement a whitelist of types that it can deserialize to is not suited for handling arbitrary data.<p>3. For example, it is capable to creating untainted/trusted objects in application servers, which some time later, may be used for XSS, or execution in SQL. In the Struts case, the standard Java libraries have constructors and methods that deserializing is enough to result in an arbitrary file being dropped on the remote file system.

This is bad, bad, bad, bad! SQL injections, remote code execution, DoS. Pretty much <i>everything</i> is possible with this exploit. You don't even need the secret key which was required in the previous vulnerability.<p>Upgrade <i>NOW</i>.

<a href="http://www.insinuator.net/2013/01/rails-yaml/" rel="nofollow">http://www.insinuator.net/2013/01/rails-yaml/</a><p>Some explanation why YAML user input is evil.<p>It works like this<p><pre><code> 1.9.3p327 :001 &#62; id = YAML.load("--- !ruby/string:Arel::Nodes::SqlLiteral \"1 --\"\n") # if user input can contain arbitrary YAML "1 --" </code></pre> It looks like string, but it's not.<p><pre><code> 1.9.3p327 :002 &#62; Keyword.where(:id =&#62; id).first Keyword Load (0.3ms) SELECT `keywords`.* FROM `keywords` WHERE `keywords`.`id` = 1 -- LIMIT 1</code></pre>

Before anyone wonders if they're having deja vu, this is different than the SQL injection vulnerability that was discussed 5 days ago:<p><a href="http://news.ycombinator.com/item?id=4999406" rel="nofollow">http://news.ycombinator.com/item?id=4999406</a>

To emphasize:<p><pre><code> &#62; Due to the critical nature of this vulnerability, and the fact that portions &#62; of it have been disclosed publicly, all users running an affected release &#62; should either upgrade or use one of the work arounds *immediately*.</code></pre>

I'm the author of the "Rails SQL injection vulnerability: here are the facts" blog post last week. This vulnerability is a different and unrelated one, and is very serious. Upgrade immediately.

For those of you interested in more details about this bug: I've posted a first analysis at <a href="http://www.insinuator.net/2013/01/rails-yaml/" rel="nofollow">http://www.insinuator.net/2013/01/rails-yaml/</a>

Rails noob here... with this and the other vulnerability from a few days ago, do all you need to do is update your rails gem to become safe?<p>Current version at time of my post is 3.2.11, if I'm using that am I safe or do I need to perform additional steps?

This hits one my basic complaints about Rails: it activates too many features _by default_. Even if your app does not parse XML params, the parser is active. I know its convenient, but hey - is this worth the price of exposing _everyone_?

I hope in consequence of this incident the Rails-team will build in an automatic security-update notification mechanism.<p>I'd like my apps to poll rails.org (or whatever) every few minutes and by default shutdown hard when an incident like this is announced.

As a newcomer to the Rails ecosystem all these posts of vunlerabilities and open doors leaves a bad taste in my mouth.<p>God know I love programming in Ruby now, but is Rails really that insecure?

Patch right now.

Hmm, this may explain why the vulnerability patched in 3.2.10 was more dangerous than it seemed, eh?<p>The 3.2.10 announcement provided an example of `Model.find_by_id(params[:id])` as an exploit, but nobody could figure out how you could get a hash with a _symbol_ key into `params[:id]`, which is what it would take for that to be an exploit. So people were confused.<p>But the pre-3.2.11 exploit, apparently, possibly provides ways to do just that, eh?

I heard through the grapevine that YC affiliated companies were tipped off to this exploit/patch before it was made public (really; a YC affiliate asked me today about the vuln before it was disclosed). Could anyone comment on that?

So I've applied the workaround, which is great, but how do I test that the workaround is indeed working?<p>I realize that providing an in-depth answer is tantamount to publishing an exploit how-to, but some reasonable way to privately test this would be very useful.<p>Maybe a "simple" URL tester hosted by a trusted Rails source (e.g. rubyonrails.org)? Ok, has the obvious issue of showing the world who they should target, but maybe you can riff on that theme?<p>Auditing and stuff you know. For some reason people in charge get really upset when all our base are belong to the bad guys.

At least people are getting practice at following security bulletins.

I might be the last one on earth that still runs a Rails 1.1.x app. This time the ancient one dodged a bullet.<p>"ah, actually 1.1.x isn't vulnerable. The issue first arrived in 2.0" - <a href="https://twitter.com/tenderlove/status/288777229276704768" rel="nofollow">https://twitter.com/tenderlove/status/288777229276704768</a>

Why doesn't Ruby (and Python and all other languages) have Perl's tainting built in and always running?<p>I'm not advocating it as the only security mechanism, but rather as another barrier to be overcome just like address-space-randomisation, data-exection prevention and all the rest...<p>(Haven't Google recently shared a valgrind-lite runtime bounds checker which is being incorporated into GCC etc? Might lead the way on how this can be down with the minimum of runtime cost.)

Can anyone with a more intimate knowledge of the inner workings of Ruby on Rails speak to how detrimental this exploit is in practice? I seem to recall a fair number of people feeling the SQL injection exploit from a few days ago was being blown out of proportion and I was wondering how this particular exploit stacks up against it.

I was curious about why Rails parses YAML nested inside XML to begin with. Turns out it was put in way back when so that ActiveRecord's from_xml/to_xml work as expected when a model contains serialized (ie. yaml) attributes.<p>Patch/issue from the old Rails issue tracker:<p><a href="http://web.archive.org/web/20071218105822/http://dev.rubyonrails.org/ticket/7502" rel="nofollow">http://web.archive.org/web/20071218105822/http://dev.rubyonr...</a>

Correct me if I'm wrong, but looks like this should only be a vulnerability if your app uses XML parameters?

Thinking aloud, do we need some kind of auto-update feature for rails apps? This kind of exploit suddenly exposes the multitude of Rails apps out there to remote code execution. I know it wouldn't be a trivial thing to make, but we already have yum auto update for linux and auto updates for Windows, OS X etc, it should definitely be feasible. Scope could be severely limited, so for example, a monkey patch for big vulnerabilities like this, while sending a notification email to the app maker.

I am shocked that it's considered a smart idea to make it possible to execute code from XML files (and that this is the default setting)!?

I really don't understand the last part "This vulnerability was reported to us by numerous people, many thanks to [...]".<p>Considering it affects all versions, what are the odds of multiple people pointing this out at the same time?<p>Rails has a very good track record regarding these things, but I'm just curious.

if you are using extlib gem you may be vulnerable as well.<p>it has just been updated:<p><a href="https://github.com/datamapper/extlib/commit/633974b2759d9b924657f3888473d5fd681538dd" rel="nofollow">https://github.com/datamapper/extlib/commit/633974b2759d9b92...</a>

I've thrown together a little script for checking your github repos for out of date rails apps: <a href="https://gist.github.com/4492021" rel="nofollow">https://gist.github.com/4492021</a><p>Should come in handy today.

Github.com (built on Rails) is currently having issues. If I had a tin foil hat, I'd put it on. Hopefully their issues are not related to this vulnerability.

As someone stuck maintaining an older rails app with no hope of upgrading anytime soon, any information on patching rails 2.1.0 against this vulnerability?

Heroku apps rely on Heroku's version of Rails gems (right?), so how does one tell if Heroku has patched these vulnerabilities yet?

For a less hammered server, can use:<p>source '<a href="http://bundler-api.herokuapp.com" rel="nofollow">http://bundler-api.herokuapp.com</a><p>in your Gemfile

Ok. I'm quite new to Rails. How do I apply this patch? Or am I better upgrading rails completely? How do I do this.

I'm tired of the logical fallacy that consists in always saying: <i>"Every software suffers from security issues"</i>.<p>It is just plain wrong to reason like this.<p>So let me ask something to the ones using the above fallacy: are all programs (say webservers) equals in the face of security?<p>It's an easy question right? And the answer is: "no, they're not all equal".<p>So stop saying: <i>"But Java had several DoS bugs affecting Tomcat in 2011 too, so we're not doing anything wrong here"</i>.<p>And start coding (and documenting) to higher standards.

ruby on cracks

1. Keep this link bookmarked.<p>2. Pull it off next time someone starts with the 'test-replace-static-typing' argument.<p>3. WIN

Upgrade instructions:<p>update your Gemfile and set the version you want. In my case:<p>gem 'rails', '3.2.10'<p>locally, run<p>'bundle update rails' which will update your Gemfile.lock<p>check-in and deploy your code. If you are using capistranso, the default 'deploy' task should handle everything for you. Otherwise, run 'bundle update rails' on your production server.