Forgot your password?
typodupeerror
Botnet Security

Ruby On Rails Exploit Used To Build IRC Botnet 91

Posted by Unknown Lamer
from the bad-script-kiddie dept.
Trailrunner7 writes "Developers who have not updated their Ruby on Rails installations with a five-month-old security patch would do well to secure the Web development framework now. Exploit code has surfaced for CVE-2013-0156 that is being used to build a botnet of compromised servers. Exploit code has been publicly available since the vulnerability was disclosed in January on Github and Metasploit, yet the vulnerability had not been exploited on a large scale until now, said security researcher Jeff Jarmoc." One reason your web server firewall might want to block IRC connections to arbitrary hosts.
This discussion has been archived. No new comments can be posted.

Ruby On Rails Exploit Used To Build IRC Botnet

Comments Filter:
  • by Anonymous Coward
    Any developers that would use Ruby on Rails to start with deserve to be Pwned.
    • by noh8rz10 (2716597)
      what the heck IS ruby on rails? is it two separate things, or one thing? is it like PHP or CSS? I'm bewildered by the technological change on the web. not that I did not say technological advancement, just technological change.
      • Re: (Score:2, Informative)

        by Viol8 (599362)

        Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name

        • Re:Hah! (Score:5, Insightful)

          by Jane Q. Public (1010737) on Wednesday May 29, 2013 @12:10PM (#43851889)

          "Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name"

          It's a well-designed and successful framework that has been in mainstream use now for around 10 years.

          This "vulnerability" only applies to applications in which the developers did not alter the default value of a cryptographic key, as they are supposed to do. It's roughly the equivalent of leaving your house key in the front door lock.

          Why the framework has been catching so much flak over what is actually a developer issue is beyond my understanding. There are, and have been, clear plain-English instructions that the value of that key should be changed for every new application you create.

          You blame users for not changing the default password (cryptographic key) on their WiFi router... you don't blame the router manufacturer. So why fault this framework because some people didn't change the default "password"??? Makes no sense.

          • Botnet on Rails lol!

            It's been the case in PHP for years that various features which make it easy to use also make it easy to exploit (register_globals, for instance). It's that easy-to-use quality which draws low-grade coders to these technologies. Additionally, even an excellent Ruby/Rails coder might follow all best practices and yet the machine still gets compromised by a bug at the web server or OS level. It seems pretty obvious that the higher your stack of coding abstraction gets, the more holes it
          • Re:Hah! (Score:5, Informative)

            by wumpus188 (657540) on Wednesday May 29, 2013 @05:23PM (#43855009)

            (1) Rails and Ruby was virtually unheard of until 2007-2008 and definitely was not in mainstream use until that time.

            (2) This vulnerability has nothing to do with "cryptographic key"; it is related to the fact that default YAML parser allows serializing/deserializing and executing arbitrary Ruby code (including objects) and ActiveSupport didn't properly sanitize the input.

            • "(1) Rails and Ruby was virtually unheard of until 2007-2008 and definitely was not in mainstream use until that time."

              That's pretty funny. I got my degree in Web development in 2005, and we had been studying it for a year. I then went to work for a company that had similarly been using it in production for about a year.

              "(2) This vulnerability has nothing to do with "cryptographic key"; it is related to the fact that default YAML parser allows serializing/deserializing and executing arbitrary Ruby code (including objects) and ActiveSupport didn't properly sanitize the input."

              Yes, it does. The vulnerability does not exist if the key for the authentication token is not changed from the default.

        • I don't know that it was poorly designed... I think of it as mostly an extension to Perl, not that I write much of either. It doesn't really appeal to me, but that doesn't mean one can't appreciate it as a language. I've been a fan of JS before all the cool kids took notice, but it has a lot of warts, just the same, it's garnered a lot of attention for use in certain scenarios where it is a good fit, perhaps JS+NodeJS isn't as good a fit as Lua+Luvit, but it works, and is a widely used language.

          That sa
      • Re:Hah! (Score:5, Funny)

        by Tarlus (1000874) on Wednesday May 29, 2013 @10:24AM (#43850441)

        It's a locomotive-driven precious stone.

      • It's a good rapid prototyping system for web apps.

      • It's a flavor of kool aid they want you to drink. It's composed od several other very bad flavors, most distinct of which are active record and magic. Active record is also very magic-flavored, which one might find confusing until they figure out what this is all about. If you read about it, it sounds delicious. Once you actually find out how it's made, you might change your mind. And you have to find out how it's made if you actually want to do anything useful with it.
        • by dkf (304284)

          If you read about it, it sounds delicious. Once you actually find out how it's made, you might change your mind. And you have to find out how it's made if you actually want to do anything useful with it.

          It's also capable of being seriously mind-bending when it screws something up. (Today, we found the weirdest of problems with encoding handling in templates. On one level I can see what exactly happened and how it came to pass, but on another level WHY, OH GREAT FLYING SPAGHETTI MONSTER? WHY?)

  • by Anonymous Coward

    Is there any reason to keep any port open which you don't intend to use?

    • by Aaden42 (198257)

      No. And quite a few good reasons to block them.

      That said, most webservers have no firewall to speak of in front of them and are run by "administrators" who don't even know how to configure the hosts's software firewall properly to block unwanted traffic (or on shared hosting where the host has no interest in the complexities of managing the software firewall for multiple users).

      • Re: (Score:2, Funny)

        by Anonymous Coward
        That's a damned good point...I wish someone would pop in here and give us some of the secret inner workings of the HOSTS file...
    • by Anonymous Coward

      Is there any reason to keep any port open which you don't intend to use?

      First off, the advice is not to close "open" ports, it is to restrict outbound traffic to commonly used IRC ports. I say commonly used, because IRC can and does run all over the port range, the standard port of 6667 is just a recommendation.

      Secondly, it's not ports you need to block, you need to block new outgoing connections. A web client could easily be using a local port of 6667, so simply blocking all traffic to destination port 6667 will piss off real users real quick. Instead, you want to block all ne

  • by mystikkman (1487801) on Wednesday May 29, 2013 @09:48AM (#43850045)

    Fix is here.

    http://www.asp.net/ [asp.net]

  • Idea (Score:5, Interesting)

    by stewsters (1406737) on Wednesday May 29, 2013 @09:49AM (#43850057)
    From TFA:
    There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.

    So, basically we could take control of theses servers and force them to update to the newest version of rails?
    • by sl4shd0rk (755837)

      take control of theses servers and force them to update to the newest version of rails?

      Yes and after we are done there:
      - find all the Hummers and downgrade the knobby tires to all-season tires for better gas mileage/less noise pollution.
      - hand out equipment viloations for every small-dick harley biker running annoying/illegal straight-pipe exhaust.
      - hit every Walmart parking lots and jimmie the gas caps so we can upgrade everyone to cleaner burning fuel instead of the 87 octane everyone is using.
      - Storm over the counter at every McDonalds and substitute the "beef" burgers with Tofurkey to sav

      • They don't even need to update the Rails version, just change the default encryption key used for the secure cookies token(s).
  • by Anonymous Coward

    When will people realise how risky it is to have someone build you a rails based site? They require constant security patching, run so slowly, and are often built by people who claim to be developers, but in reality security and performance are words they don't understand.

    Remember - Rails to pose, Python based frameworks for pros.

    It really is shocking how many Brogrammers out there think software engineering and good architecture can be achieved by gem or bundle install.

  • Ruby on Wax

    -- I'm feeling silly today --
  • by wbr1 (2538558)
    For an irc sky net please.
  • by Thantik (1207112) on Wednesday May 29, 2013 @10:13AM (#43850291)

    until someone makes a Bitcoin farming botnet out of all these Ruby on Rails hosts?

  • by fredrated (639554) on Wednesday May 29, 2013 @11:23AM (#43851297) Journal

    I am being forced to learn RoR as part of my job. Should I shoot myself?

    • by iluvcapra (782887)
      Don't, you'll go to hell, where you'll be forced to write a data warehousing backend for Satan's business affairs platform, which runs WebObjects.
    • by Xest (935314)

      No, shoot whoever decided it would be a good idea instead.

  • At least where they have regulatory authority (USA), the FCC needs to start fining people running servers with blatant security holes that they ignore. A sliding scale based on the percentage of the organizations' income, with real non-profits exempt (except blocked until they patch). This might finally get some folks' attention who think they can setup a server (or hire someone to set it up) but not maintain it as long as they're making money.
    • by Jawnn (445279)
      That, or require a license, granted on demonstration of suitable proficiency, before being allowed to run _any_ server that is connected to the Internet. Yeah, that'll happen.
  • If your webserver firewall allows outbound connections to anything you can't easily provide an explanation for then you need to be sent to a remedial network security course. All our devs hate me because everytime they deploy something to production it inevitably breaks because they didn't submit a request to have the necessary ports opened in the firewall, but I'd rather deal with devs hating me than me hating devs because their insecure apps got us hacked.
  • Well this would be a shame for Diaspora if anyone actually used it...

That does not compute.

Working...