Software Integrity Blog

 

Use Rails? Check Yourself for the YAML Exploit

Anybody using Ruby on Rails has been sitting uneasy for the last few weeks, and with good reason. The most recent Rails vulnerabilities have been the worst ever, affecting both Rails and non-Rails websites. If you haven’t been able to drudge through the extremely technical blog posts, or haven’t had time to think about it: the Rails YAML vulnerability allows for hackers to gain arbitrary remote code execution – that is, gain full control of the entire server. Once one server’s been fully compromised, it’s not hard to own all the machines.

Use Rails? Check the YAML Exploit | Synopsys

So what does it all mean? First, if you have this vulnerability it’s pretty easy for somebody to point Metasploit at your site and gain control. Also, if you don’t run Rails (or don’t run a compromised version of Rails), you’re still able to be affected by any of your service and JavaScript providers. If they’re compromised, it would be easy to compromise the JS you’re using through them, affecting your site with a Cross Site Scripting (XSS) vulnerability in the process.

Plenty of customers and friends of ours have requested a simple way to check their site for the Ruby YAML vulnerability, so now we have it! Feel free to test your site quickly and for free at https://www.tinfoilsecurity.com/. We determine this by sending a harmless request to your web server. The request doesn’t do anything — it is designed to be rejected with an error, much as if someone typed a URL incorrectly and requested a web page which doesn’t exist. If your application is vulnerable, it will respond with a particular error code, whereas apps that are not vulnerable will not. This vulnerability allows attackers to execute code on your server, but we don’t actually do this.

We’re looking at one of two different ways to detect this vulnerability, which isn’t 100% fool-proof. We’ll have both forms of detection in our scanner real soon now, so I do recommend doing a full vulnerability check for free with our scanner. Also, this check is for websites using the Psych YAML Engine and not the older Syck. All of the proof of concepts we’ve seen so far are for Psych. That doesn’t mean Syck isn’t vulnerable, but that our checker will only work for Psych. In all likelihood, Syck is vulnerable too and you should upgrade your Rails all the same.

If you want to read more on the Rails YAML vulnerability, we highly recommend checking out Patrick McKenzie’s blog post at: https://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/

 

More by this author