Ruby On Rails Exploit Used To Build IRC Botnet 91
Trailrunner7 writes "Developers who have not updated their Ruby on Rails installations with a five-month-old security patch would do well to secure the Web development framework now. Exploit code has surfaced for CVE-2013-0156 that is being used to build a botnet of compromised servers. Exploit code has been publicly available since the vulnerability was disclosed in January on Github and Metasploit, yet the vulnerability had not been exploited on a large scale until now, said security researcher Jeff Jarmoc."
One reason your web server firewall might want to block IRC connections to arbitrary hosts.
Hah! (Score:1)
Re: (Score:2)
Re: (Score:2, Informative)
Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name
Re: (Score:2, Interesting)
Yeah, took a while to get rid of the plague in the Middle Ages as well, didn't it?
Re: (Score:1)
flavour of the month, 10th birthday soon.
BFD
Windows has been around what? 25 years? Maybe in 15 years Ruby will be as secure and stable as Windows.
But performance wise? Ruby will always be out of its depth in a July Florida parking lot puddle.
Ruby is a nice toy for people who can't code to write web sites for 10 users at a time.
Yeah, GitHub, Shopify and the Twitter frontend seem to be struggling to find users. Maybe they have 10 between them? Right? *nudges elbow* Right?
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Time to move on then. You can't let those cargo-cult following "cool kids" catch up...
Re: (Score:2)
It's not a language.
Um? Yes it is.
Re: (Score:3)
Re: (Score:2)
Well, the post I replied to singled out an explanation of Ruby itself, and not the remaining "with a poorly designed API intended for web use" portion.
Re:Hah! (Score:5, Insightful)
"Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name"
It's a well-designed and successful framework that has been in mainstream use now for around 10 years.
This "vulnerability" only applies to applications in which the developers did not alter the default value of a cryptographic key, as they are supposed to do. It's roughly the equivalent of leaving your house key in the front door lock.
Why the framework has been catching so much flak over what is actually a developer issue is beyond my understanding. There are, and have been, clear plain-English instructions that the value of that key should be changed for every new application you create.
You blame users for not changing the default password (cryptographic key) on their WiFi router... you don't blame the router manufacturer. So why fault this framework because some people didn't change the default "password"??? Makes no sense.
Re: (Score:2)
It's been the case in PHP for years that various features which make it easy to use also make it easy to exploit (register_globals, for instance). It's that easy-to-use quality which draws low-grade coders to these technologies. Additionally, even an excellent Ruby/Rails coder might follow all best practices and yet the machine still gets compromised by a bug at the web server or OS level. It seems pretty obvious that the higher your stack of coding abstraction gets, the more holes it
Re:Hah! (Score:5, Informative)
(1) Rails and Ruby was virtually unheard of until 2007-2008 and definitely was not in mainstream use until that time.
(2) This vulnerability has nothing to do with "cryptographic key"; it is related to the fact that default YAML parser allows serializing/deserializing and executing arbitrary Ruby code (including objects) and ActiveSupport didn't properly sanitize the input.
Re: (Score:3)
"(1) Rails and Ruby was virtually unheard of until 2007-2008 and definitely was not in mainstream use until that time."
That's pretty funny. I got my degree in Web development in 2005, and we had been studying it for a year. I then went to work for a company that had similarly been using it in production for about a year.
"(2) This vulnerability has nothing to do with "cryptographic key"; it is related to the fact that default YAML parser allows serializing/deserializing and executing arbitrary Ruby code (including objects) and ActiveSupport didn't properly sanitize the input."
Yes, it does. The vulnerability does not exist if the key for the authentication token is not changed from the default.
Re: (Score:2)
"Degree in web development? Is that like Computer Science but without the rigour and more focus on bad languages like PHP and Javascript?"
No.
For one thing it's an Associates Degree, and for another it isn't intended to be any kind of substitute or "weaker version" of CS. It's Web Development
But for the record, in case that's what you're implying, I was studying for a Computer Engineering major, and I got the AS in Web Development as a separate (and in many ways unrelated) side discipline.
Having said that, I agree that PHP and JavaScript are bad languages. I wouldn't even call PHP a "language", per se. It's just a huge jumble of incon
Re: (Score:2)
That sa
Re:Hah! (Score:5, Funny)
It's a locomotive-driven precious stone.
Re: (Score:2)
part of the confusion, is that most people heard of php before cake, code igniter or zend. Most people learned of ruby through Ruby on Rails and just assumed it was a language. Rather than a language and a third party framework.
Re: (Score:2)
It's a good rapid prototyping system for web apps.
Re: Hah! (Score:2)
Re: (Score:2)
If you read about it, it sounds delicious. Once you actually find out how it's made, you might change your mind. And you have to find out how it's made if you actually want to do anything useful with it.
It's also capable of being seriously mind-bending when it screws something up. (Today, we found the weirdest of problems with encoding handling in templates. On one level I can see what exactly happened and how it came to pass, but on another level WHY, OH GREAT FLYING SPAGHETTI MONSTER? WHY?)
Is there a reason *not* to block ports? (Score:1, Insightful)
Is there any reason to keep any port open which you don't intend to use?
Re: (Score:3)
No. And quite a few good reasons to block them.
That said, most webservers have no firewall to speak of in front of them and are run by "administrators" who don't even know how to configure the hosts's software firewall properly to block unwanted traffic (or on shared hosting where the host has no interest in the complexities of managing the software firewall for multiple users).
Re: (Score:2, Funny)
Re: (Score:1)
Is there any reason to keep any port open which you don't intend to use?
First off, the advice is not to close "open" ports, it is to restrict outbound traffic to commonly used IRC ports. I say commonly used, because IRC can and does run all over the port range, the standard port of 6667 is just a recommendation.
Secondly, it's not ports you need to block, you need to block new outgoing connections. A web client could easily be using a local port of 6667, so simply blocking all traffic to destination port 6667 will piss off real users real quick. Instead, you want to block all ne
Fix is here... (Score:5, Funny)
Fix is here.
http://www.asp.net/ [asp.net]
Re: (Score:2)
I don't care for the WebForms event model (lots of bloat and overhead), but the ASP.Net MVC model is pretty efficient (even compared to C) at scale. I would also note there is Mono if you want to do cross platform
Idea (Score:5, Interesting)
There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.
So, basically we could take control of theses servers and force them to update to the newest version of rails?
Re: (Score:2)
take control of theses servers and force them to update to the newest version of rails?
Yes and after we are done there:
- find all the Hummers and downgrade the knobby tires to all-season tires for better gas mileage/less noise pollution.
- hand out equipment viloations for every small-dick harley biker running annoying/illegal straight-pipe exhaust.
- hit every Walmart parking lots and jimmie the gas caps so we can upgrade everyone to cleaner burning fuel instead of the 87 octane everyone is using.
- Storm over the counter at every McDonalds and substitute the "beef" burgers with Tofurkey to sav
Re: (Score:2)
Ruby on Fails (Score:1)
When will people realise how risky it is to have someone build you a rails based site? They require constant security patching, run so slowly, and are often built by people who claim to be developers, but in reality security and performance are words they don't understand.
Remember - Rails to pose, Python based frameworks for pros.
It really is shocking how many Brogrammers out there think software engineering and good architecture can be achieved by gem or bundle install.
Re: (Score:1)
transmogification (Score:2)
-- I'm feeling silly today --
Re: (Score:1)
The exploit CVE-2013-0156 of Tanagra.
wake me (Score:2)
How long... (Score:3)
until someone makes a Bitcoin farming botnet out of all these Ruby on Rails hosts?
Somebody please help me (Score:3)
I am being forced to learn RoR as part of my job. Should I shoot myself?
Re: (Score:2)
Re: (Score:2)
Oh, cobol is still there. We are interfacing the two systems.
Re: (Score:2)
The pain is that for compliance reasons we have to row-replicate our "live" records to Santa and the Easter Bunny every month, sometimes more frequently around their rush periods. Fortunately, we did their original database transition in 1973* -- we just use some old JCL scripts someone put together at the time, they still seem to work.
*It's a little known fact that Our Dark and Imperious Prince of Lies actually operated a major consultancy in the 70s. SAP took over most of our clients in the early 80s w
Re: (Score:2)
I don't hate my job as such but RoR makes me want to puke.
Re: (Score:2)
No, shoot whoever decided it would be a good idea instead.
Fines (Score:2)
Re: (Score:2)
Firewall (Score:2)
Diaspora (Score:1)
Well this would be a shame for Diaspora if anyone actually used it...