Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rails YAML vuln.

Rails YAML vuln.

Quick presentation on the YAML vuln and the impact on a Rails application.
Made at : http://rubybdx.org/

C1194b5728c155e195b223d91e1b0d77?s=128

Damian Le Nouaille

February 06, 2013
Tweet

Transcript

  1. YAML in Ruby

  2. “This is a VULN” “No, this is a feature.” YAML

    allows us to represent ruby objects directly
  3. YAML deserialize blobs : !ruby/object:MyClass MyClass.allocate will execute :

  4. Example (really simplistic) (this not real code, but a vulnerable

    object)
  5. Normal : Hacked :

  6. Normal result: Hacked result:

  7. YAML creates objects. With code execution on “[]=” (and more

    methods) Is there a Rails class with that ?
  8. None
  9. When the fun begin. ActionDispatch::Routing::RouteSet::NamedRouteCollection https://github.com/rails/rails/blob/v3.2.10/actionpack/lib/action_dispatch/ routing/route_set.rb#L113 Allows alias “[]=”

    on “add”
  10. Back to Rails. Let’s create a YAML string : ---

    !ruby/ hash:ActionController::Routing::RouteSet::NamedRouteCollection ? #{encoded_payload} : !ruby/struct defaults: :action: create :controller: foos required_parts: [] requirements: :action: create :controller: foos segment_keys: - :format
  11. Inject that YAML in XML <?xml version="1.0" encoding="UTF-8"?> <exploit type="yaml">#{yaml.html_escape}</exploit>

  12. Send the XML to the app

  13. Rails will deserialize the params[], the XML, the YAML, and

    will execute the payload.
  14. Rails will deserialize the params[], the XML, the YAML, and

    will execute the payload. ... without 500 errors.
  15. None
  16. Demo on 3.2.10 simple scaffold app.

  17. None
  18. Demo on 3.2.11

  19. None
  20. NOT a Rails problem. It’s a YAML feature. Ok ...

    Rails problem too. UPGRADE to 3.2.11
  21. Credit photo/text http://rubysource.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/ http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/ http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html http://ronin-ruby.github.com/blog/2013/01/28/new-rails-poc.html http://lesjoiesducode.tumblr.com/ Merci. @DAMLN