The webconsole gem which ships with the Rails development server allows remote code execution via DNS Rebinding. I reported this issue to Rails on April 20th 2015. However, it may have been reported to them earlier because Homakov also found the issue independently and tweeted about it here:

There are lots of dangerous interactions with localhost: I tweeted that with DNS rebinding we can RCE via REPL on any Rails app, no fix yet — Egor Homakov (@homakov) January 11, 2016

Since this issue is semi-public I think it is better that the problem is made public before waiting for a fix that may never appear. It also important to note that many developer set ups are probably not vulnerable because they are using Pow to run Rails applications or their upstream DNS servers apply DNS rebinding protection.

The problem is same origin policy in browsers is broken for IP based security unless the server checks the Host header is what it expects it to be. And it looks like rails development mode does not do any checking of the Host header to see that the header is 127.0.0.1 or localhost.

The attack looks something like this:

Attacker tricks user into going to a website they control. For example reallycoolflashgame.com (nothing looks suspicious..) Attacker opens an iframe to sdjhskdf87.reallycoolflashgame.com:3000 (SOP policy is based on the port number and we open this in an iframe so we don’t tip off the user that something suspicious is going on) sdjhskdf87.reallycoolflashgame.com is a DNS record with a really short TTL. For example 60 seconds. Attacker then changes the DNS record to point from their IP address to 127.0.0.1 The original html page at sdjhskdf87.reallycoolflashgame.com:3000 starts making XHR requests after the TTL has expired. These requests get routed to the rails app and they can trigger the debug functionality remotely.

I have a website that simulates this attack. If you visit this website on OSX and it starts the Calculator.app then you are definitely vulnerable. However, if it does not work then that might be because the attack is buggy and is not proof that you don’t have a vulnerable setup.

create a new rails project with rails new demo cd demo; rails server go to http://www.dnsrebinder.net/ in your browser You will have to wait about 60-80 seconds and if you are running OSX it will pop a calculator. If you are running something else it won’t do anything useful :(. You can monitor what is happening in Chrome Developer tools. If you see a request that generates a 404 this is evidence that the DNS rebinding was successful.

It might not work if your router or upstream DNS provider is filtering private ip ranges in DNS lookups. So you might have to set your DNS server to point to 8.8.8.8 (google DNS).

Mitigations

Remove webconsole gem from your Gemfile. Use pow.cx which hosts your Rails application under the .dev domain namespace and do not spawn Rails applications using the ‘rails server’ command. Use a DNS server that applies DNS rebinding filtering. It is important that it filters 127.0.0.0/8 and the IPV6 local addresses. In particular Rails5 Puma only binds to the IPV6 local address under OSX.

Update

The same vulnerability effect the better errors gem. Thanks to @mikeycgto for the pointer.