Quick presentation on the YAML vuln and the impact on a Rails application. Made at : http://rubybdx.org/
YAML in Ruby
View Slide
“This is a VULN”“No, this is a feature.”YAML allows us to represent ruby objects directly
YAML deserialize blobs :!ruby/object:MyClassMyClass.allocatewill execute :
Example (really simplistic)(this not real code, but a vulnerable object)
Normal :Hacked :
Normal result:Hacked result:
YAML creates objects.With code execution on “[]=”(and more methods)Is there a Rails class with that ?
When the fun begin.ActionDispatch::Routing::RouteSet::NamedRouteCollectionhttps://github.com/rails/rails/blob/v3.2.10/actionpack/lib/action_dispatch/routing/route_set.rb#L113Allows alias “[]=” on “add”
Back to Rails.Let’s create a YAML string :--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection? #{encoded_payload}: !ruby/structdefaults::action: create:controller: foosrequired_parts: []requirements::action: create:controller: foossegment_keys:- :format
Inject that YAML in XML#{yaml.html_escape}
Send the XML to the app
Rails will deserialize theparams[], the XML, theYAML, and will execute thepayload.
Rails will deserialize theparams[], the XML, theYAML, and will execute thepayload.... without 500 errors.
Demo on 3.2.10simple scaffold app.
Demo on 3.2.11
NOT a Rails problem.It’s a YAML feature.Ok ... Rails problem too.UPGRADE to 3.2.11
Credit photo/texthttp://rubysource.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.htmlhttp://ronin-ruby.github.com/blog/2013/01/28/new-rails-poc.htmlhttp://lesjoiesducode.tumblr.com/Merci.@DAMLN