Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rails YAML vuln.

Rails YAML vuln.

Quick presentation on the YAML vuln and the impact on a Rails application.
Made at : http://rubybdx.org/

Damian Le Nouaille

February 06, 2013
Tweet

More Decks by Damian Le Nouaille

Other Decks in Programming

Transcript

  1. YAML in Ruby

    View Slide

  2. “This is a VULN”
    “No, this is a feature.”
    YAML allows us to represent ruby objects directly

    View Slide

  3. YAML deserialize blobs :
    !ruby/object:MyClass
    MyClass.allocate
    will execute :

    View Slide

  4. Example (really simplistic)
    (this not real code, but a vulnerable object)

    View Slide

  5. Normal :
    Hacked :

    View Slide

  6. Normal result:
    Hacked result:

    View Slide

  7. YAML creates objects.
    With code execution on “[]=”
    (and more methods)
    Is there a Rails class with that ?

    View Slide

  8. View Slide

  9. When the fun begin.
    ActionDispatch::Routing::RouteSet::NamedRouteCollection
    https://github.com/rails/rails/blob/v3.2.10/actionpack/lib/action_dispatch/
    routing/route_set.rb#L113
    Allows alias “[]=” on “add”

    View Slide

  10. Back to Rails.
    Let’s create a YAML string :
    --- !ruby/
    hash:ActionController::Routing::RouteSet::NamedRouteCollection
    ? #{encoded_payload}
    : !ruby/struct
    defaults:
    :action: create
    :controller: foos
    required_parts: []
    requirements:
    :action: create
    :controller: foos
    segment_keys:
    - :format

    View Slide

  11. Inject that YAML in XML

    #{yaml.html_escape}

    View Slide

  12. Send the XML to the app

    View Slide

  13. Rails will deserialize the
    params[], the XML, the
    YAML, and will execute the
    payload.

    View Slide

  14. Rails will deserialize the
    params[], the XML, the
    YAML, and will execute the
    payload.
    ... without 500 errors.

    View Slide

  15. View Slide

  16. Demo on 3.2.10
    simple scaffold app.

    View Slide

  17. View Slide

  18. Demo on 3.2.11

    View Slide

  19. View Slide

  20. NOT a Rails problem.
    It’s a YAML feature.
    Ok ... Rails problem too.
    UPGRADE to 3.2.11

    View Slide

  21. Credit photo/text
    http://rubysource.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/
    http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/
    http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html
    http://ronin-ruby.github.com/blog/2013/01/28/new-rails-poc.html
    http://lesjoiesducode.tumblr.com/
    Merci.
    @DAMLN

    View Slide