Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ruby On Rails Exploit Used To Build IRC Botnet

Posted by Unknown on from the bad-script-kiddie dept.

Trailrunner7 writes "Developers who have not updated their Ruby on Rails installations with a five-month-old security patch would do well to secure the Web development framework now. Exploit code has surfaced for CVE-2013-0156 that is being used to build a botnet of compromised servers. Exploit code has been publicly available since the vulnerability was disclosed in January on Github and Metasploit, yet the vulnerability had not been exploited on a large scale until now, said security researcher Jeff Jarmoc." One reason your web server firewall might want to block IRC connections to arbitrary hosts.

91 comments

  1. Hah! by Anonymous Coward · · Score: 1

    Any developers that would use Ruby on Rails to start with deserve to be Pwned.

    1. Re:Hah! by noh8rz10 · · Score: 2

      what the heck IS ruby on rails? is it two separate things, or one thing? is it like PHP or CSS? I'm bewildered by the technological change on the web. not that I did not say technological advancement, just technological change.

    2. Re:Hah! by Viol8 · · Score: 2, Informative

      Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name

    3. Re:Hah! by Anonymous Coward · · Score: 0

      People keep telling me to "google' things, but I'm tired of this, seems too much like they're trying to get ne to some hacker website. What the fuck is a "google" anyways?

    4. Re:Hah! by Anonymous Coward · · Score: 0

      flavour of the month, 10th birthday soon.

    5. Re:Hah! by Anonymous Coward · · Score: 0

      Don't worry, no one's ever actually used it, and no one will. *yawn*

    6. Re:Hah! by Anonymous Coward · · Score: 0

      Its

      "It's"

      a poorly designed flavour of the month language

      It's not a language.

    7. Re:Hah! by Tarlus · · Score: 4, Funny

      It's a locomotive-driven precious stone.

      --
      /* No Comment */
    8. Re:Hah! by Anonymous Coward · · Score: 2, Interesting

      Yeah, took a while to get rid of the plague in the Middle Ages as well, didn't it?

    9. Re:Hah! by Anonymous Coward · · Score: 0

      Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name

      And the implementation could suck a bowling ball through a cast-iron sewerpipe - golf ball through a garden hose is a piece of cake.

      Try compiling Ruby with all GCC optimizations turned on - your binary probably won't work at all. The shitbirds who wrote that crap code do things like completely abuse restrictions on the use of setjmp/longjmp.

      God only knows what abusing fundamental restrictions like that do to the security of a binary exposed to whatever web network you put it on.

    10. Re:Hah! by Anonymous Coward · · Score: 0

      flavour of the month, 10th birthday soon.

      BFD

      Windows has been around what? 25 years? Maybe in 15 years Ruby will be as secure and stable as Windows.

      But performance wise? Ruby will always be out of its depth in a July Florida parking lot puddle.

      Ruby is a nice toy for people who can't code to write web sites for 10 users at a time.

    11. Re:Hah! by Anonymous Coward · · Score: 1

      flavour of the month, 10th birthday soon.

      BFD

      Windows has been around what? 25 years? Maybe in 15 years Ruby will be as secure and stable as Windows.

      But performance wise? Ruby will always be out of its depth in a July Florida parking lot puddle.

      Ruby is a nice toy for people who can't code to write web sites for 10 users at a time.

      Yeah, GitHub, Shopify and the Twitter frontend seem to be struggling to find users. Maybe they have 10 between them? Right? *nudges elbow* Right?

    12. Re:Hah! by Anonymous Coward · · Score: 0

      And still just as crappy and insecure as when it was first conceived. But, hey, it sounds cool to the other hipsters at Starbucs while also showing off your MacBook Pro, no?

    13. Re:Hah! by Anonymous Coward · · Score: 0

      He was talking about Ruby on Rails not Django.

    14. Re:Hah! by Tarlus · · Score: 1

      It's not a language.

      Um? Yes it is.

      --
      /* No Comment */
    15. Re:Hah! by Anonymous Coward · · Score: 0

      I keep reading your post but I only see "What the heck is Google?"

    16. Re:Hah! by Anonymous Coward · · Score: 0

      http://lmgtfy.com/?q=google

    17. Re:Hah! by Anonymous Coward · · Score: 0

      It is a common reply by people too lazy to respond, or maybe they just don't know the answer and can't admit it.

    18. Re:Hah! by Anonymous Coward · · Score: 0

      It's not a language.

      Um? Yes it is.

      You can repeat it all you want. RoR is NOT a language. Perhaps you'd call Zope a language to! :S

    19. Re:Hah! by Anonymous Coward · · Score: 0

      Ruby is a scripting language

      Ruby on Rails is a framework for that language, like CakePHP or CodeIgniter are frameworks for PHP

    20. Re:Hah! by Anonymous Coward · · Score: 0

      There is a reason why its twitter's front end, and not all of twitter as it once was. It seems like switching the back end from Ruby to scala finally got reduced the apperance of the fail whale. Otherwise known as the ruby fail whale

    21. Re:Hah! by Bill,+Shooter+of+Bul · · Score: 1

      part of the confusion, is that most people heard of php before cake, code igniter or zend. Most people learned of ruby through Ruby on Rails and just assumed it was a language. Rather than a language and a third party framework.

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
    22. Re:Hah! by meta-monkey · · Score: 1

      It's a good rapid prototyping system for web apps.

      --
      We don't have a state-run media we have a media-run state.
    23. Re:Hah! by Jane+Q.+Public · · Score: 4, Insightful

      "Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name"

      It's a well-designed and successful framework that has been in mainstream use now for around 10 years.

      This "vulnerability" only applies to applications in which the developers did not alter the default value of a cryptographic key, as they are supposed to do. It's roughly the equivalent of leaving your house key in the front door lock.

      Why the framework has been catching so much flak over what is actually a developer issue is beyond my understanding. There are, and have been, clear plain-English instructions that the value of that key should be changed for every new application you create.

      You blame users for not changing the default password (cryptographic key) on their WiFi router... you don't blame the router manufacturer. So why fault this framework because some people didn't change the default "password"??? Makes no sense.

    24. Re:Hah! by Dragonslicer · · Score: 2

      Ruby is a programming language. The "Rails" part of Ruby on Rails is a framework. It's roughly equivalent to the difference between C# and .NET.

    25. Re:Hah! by aztracker1 · · Score: 1

      I don't know that it was poorly designed... I think of it as mostly an extension to Perl, not that I write much of either. It doesn't really appeal to me, but that doesn't mean one can't appreciate it as a language. I've been a fan of JS before all the cool kids took notice, but it has a lot of warts, just the same, it's garnered a lot of attention for use in certain scenarios where it is a good fit, perhaps JS+NodeJS isn't as good a fit as Lua+Luvit, but it works, and is a widely used language.

      That said, I've done most of my server-side coding for the better part of a decade in C# (.Net). I've seen plenty of people doing stupid stuff in the language/platform. You can build crap in any platform... not to mention that platform vulnerabilities happen, though imho less often than diy platforms tend to have. It's important to keep up on security updates.

      --
      Michael J. Ryan - tracker1.info
    26. Re:Hah! by Anonymous Coward · · Score: 0

      It's a well-designed and successful framework

      Successful, maybe. Well-designed: absolutely not.

    27. Re:Hah! by aztracker1 · · Score: 1

      The cool kids have mostly moved on to NodeJS and Express. I like NodeJS and Express myself, but was into JS long before all the cool kids came along.

      --
      Michael J. Ryan - tracker1.info
    28. Re:Hah! by sneakyimp · · Score: 1

      Botnet on Rails lol!

      It's been the case in PHP for years that various features which make it easy to use also make it easy to exploit (register_globals, for instance). It's that easy-to-use quality which draws low-grade coders to these technologies. Additionally, even an excellent Ruby/Rails coder might follow all best practices and yet the machine still gets compromised by a bug at the web server or OS level. It seems pretty obvious that the higher your stack of coding abstraction gets, the more holes it will inevitably have, and the poorer its performance. The more intuitive and simple you make it, the more bad coders it will draw.

      On the other hand, your abstraction is easier to understand and more expressive. Try programming a (secure) web application in assembler.

    29. Re: Hah! by Greyfox · · Score: 1

      It's a flavor of kool aid they want you to drink. It's composed od several other very bad flavors, most distinct of which are active record and magic. Active record is also very magic-flavored, which one might find confusing until they figure out what this is all about. If you read about it, it sounds delicious. Once you actually find out how it's made, you might change your mind. And you have to find out how it's made if you actually want to do anything useful with it.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    30. Re:Hah! by Tarlus · · Score: 1

      Well, the post I replied to singled out an explanation of Ruby itself, and not the remaining "with a poorly designed API intended for web use" portion.

      --
      /* No Comment */
    31. Re:Hah! by James+Keane · · Score: 1

      The front end is still Ruby, the replaced the messaging systems with something more suitable.

    32. Re:Hah! by dkf · · Score: 1

      Time to move on then. You can't let those cargo-cult following "cool kids" catch up...

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    33. Re: Hah! by dkf · · Score: 1

      If you read about it, it sounds delicious. Once you actually find out how it's made, you might change your mind. And you have to find out how it's made if you actually want to do anything useful with it.

      It's also capable of being seriously mind-bending when it screws something up. (Today, we found the weirdest of problems with encoding handling in templates. On one level I can see what exactly happened and how it came to pass, but on another level WHY, OH GREAT FLYING SPAGHETTI MONSTER? WHY?)

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    34. Re:Hah! by wumpus188 · · Score: 4, Informative

      (1) Rails and Ruby was virtually unheard of until 2007-2008 and definitely was not in mainstream use until that time.

      (2) This vulnerability has nothing to do with "cryptographic key"; it is related to the fact that default YAML parser allows serializing/deserializing and executing arbitrary Ruby code (including objects) and ActiveSupport didn't properly sanitize the input.

    35. Re:Hah! by Anonymous Coward · · Score: 0

      (1) Rails and Ruby was virtually unheard of until 2007-2008

      That's interesting. I was working with a company around that time who were very well established in Rails development. Finding developers was a walk in the park, and the community was huge and very active. I don't know what you classify as "virtually" unheard of.

    36. Re:Hah! by Jane+Q.+Public · · Score: 2

      "(1) Rails and Ruby was virtually unheard of until 2007-2008 and definitely was not in mainstream use until that time."

      That's pretty funny. I got my degree in Web development in 2005, and we had been studying it for a year. I then went to work for a company that had similarly been using it in production for about a year.

      "(2) This vulnerability has nothing to do with "cryptographic key"; it is related to the fact that default YAML parser allows serializing/deserializing and executing arbitrary Ruby code (including objects) and ActiveSupport didn't properly sanitize the input."

      Yes, it does. The vulnerability does not exist if the key for the authentication token is not changed from the default.

    37. Re:Hah! by Anonymous Coward · · Score: 0

      "That's pretty funny. I got my degree in Web development in 2005"

      Degree in web development? Is that like Computer Science but without the rigour and more focus on bad languages like PHP and Javascript?

    38. Re:Hah! by Jane+Q.+Public · · Score: 1

      "Degree in web development? Is that like Computer Science but without the rigour and more focus on bad languages like PHP and Javascript?"

      No.

      For one thing it's an Associates Degree, and for another it isn't intended to be any kind of substitute or "weaker version" of CS. It's Web Development

      But for the record, in case that's what you're implying, I was studying for a Computer Engineering major, and I got the AS in Web Development as a separate (and in many ways unrelated) side discipline.

      Having said that, I agree that PHP and JavaScript are bad languages. I wouldn't even call PHP a "language", per se. It's just a huge jumble of inconsistent utility functions.

    39. Re:Hah! by Anonymous Coward · · Score: 0

      The TwitFucks had issues because they were using MySQL as their message queue.

      Nothing to do with Rails or Ruby.

    40. Re:Hah! by Anonymous Coward · · Score: 0

      That is pretty funny the butt-hurt lamers were crying about RoR in 2005.

    41. Re:Hah! by Anonymous Coward · · Score: 0

      Ruby is a full-featured language and decidedly not a scripting language

  2. Is there a reason *not* to block ports? by Anonymous Coward · · Score: 1, Insightful

    Is there any reason to keep any port open which you don't intend to use?

    1. Re:Is there a reason *not* to block ports? by Aaden42 · · Score: 2

      No. And quite a few good reasons to block them.

      That said, most webservers have no firewall to speak of in front of them and are run by "administrators" who don't even know how to configure the hosts's software firewall properly to block unwanted traffic (or on shared hosting where the host has no interest in the complexities of managing the software firewall for multiple users).

    2. Re:Is there a reason *not* to block ports? by Anonymous Coward · · Score: 2, Funny

      That's a damned good point...I wish someone would pop in here and give us some of the secret inner workings of the HOSTS file...

    3. Re:Is there a reason *not* to block ports? by Anonymous Coward · · Score: 1

      Is there any reason to keep any port open which you don't intend to use?

      First off, the advice is not to close "open" ports, it is to restrict outbound traffic to commonly used IRC ports. I say commonly used, because IRC can and does run all over the port range, the standard port of 6667 is just a recommendation.

      Secondly, it's not ports you need to block, you need to block new outgoing connections. A web client could easily be using a local port of 6667, so simply blocking all traffic to destination port 6667 will piss off real users real quick. Instead, you want to block all new outgoing connections. New incoming connections are fine, related connections are fine.

      Most firewalls do not do this. Most will simply do what the above coward suggested, and block all unused local ports on the server. Well done, totally missed the point.

    4. Re:Is there a reason *not* to block ports? by Anonymous Coward · · Score: 0

      ZALGO! HE COMES!

  3. Fix is here... by mystikkman · · Score: 5, Funny

    Fix is here.

    http://www.asp.net/

    1. Re:Fix is here... by Anonymous Coward · · Score: 0

      Not sure if +1 funny or -1 stupid.

    2. Re:Fix is here... by Anonymous Coward · · Score: 0

      Not sure if -1 Went over your fucking head or -1 Idiotic fanboy freetard

    3. Re:Fix is here... by Anonymous Coward · · Score: 0

      He just tells them to do like Cleopatra and kill themselves with long, painful death of venomous snake bite.

      Nobody likes Ruby on Rails programmers.

    4. Re:Fix is here... by Anonymous Coward · · Score: 0

      Bah. Wasteful bloat and unneeded garbage. Plus, not cross-platform. Correct fix is here, or possibly here.

      (I'm half joking, half telling you kids to get off my lawn and take your w3 with you.)

    5. Re:Fix is here... by Anonymous Coward · · Score: 0

      If you're going to troll, do it properly.

      http://www.php.net

    6. Re:Fix is here... by aztracker1 · · Score: 1

      Ouch... lets just scale the risk of memory leaks out a lot while we're at it...

      I don't care for the WebForms event model (lots of bloat and overhead), but the ASP.Net MVC model is pretty efficient (even compared to C) at scale. I would also note there is Mono if you want to do cross platform .Net (personally, I think it's more painful to configure than my time is worth and would rather buy an MS license for Windows Web Server in a business environment). I've actually been considering taking my handful of personal-use .Net sites over to Mono.

      I've been finding lately that I really like NodeJS and Express more than anything else out there. Yeah, I don't get a lot of the IDE benefits (WebStorm is nice enough for me), but the paradigm is so much cleaner.

      --
      Michael J. Ryan - tracker1.info
    7. Re:Fix is here... by Anonymous Coward · · Score: 0

      Not sure if you are such as asshole because you are 12 or if just too fucking ugly to get laid

    8. Re:Fix is here... by Anonymous Coward · · Score: 0

      Neither, why do you do it?

    9. Re:Fix is here... by Anonymous Coward · · Score: 0

      Not sure if you are such as asshole because you are 12 or if just too fucking ugly to get laid

      And I guess you're both these things? Grow up.

  4. Idea by stewsters · · Score: 4, Interesting

    From TFA:
    There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.

    So, basically we could take control of theses servers and force them to update to the newest version of rails?

    1. Re:Idea by Anonymous Coward · · Score: 0

      No. This comment is in regards to the bots. You could join the IRC server and issue commands to the bots.

    2. Re:Idea by sl4shd0rk · · Score: 1

      take control of theses servers and force them to update to the newest version of rails?

      Yes and after we are done there:
      - find all the Hummers and downgrade the knobby tires to all-season tires for better gas mileage/less noise pollution.
      - hand out equipment viloations for every small-dick harley biker running annoying/illegal straight-pipe exhaust.
      - hit every Walmart parking lots and jimmie the gas caps so we can upgrade everyone to cleaner burning fuel instead of the 87 octane everyone is using.
      - Storm over the counter at every McDonalds and substitute the "beef" burgers with Tofurkey to save everyone's HDL.
      - Use the current Rails exploit to hack EC2 and remove every Bieber/Lady Gaga download to save everyone from themselves.

      I'd love to fix all these finger-nail-on-chalkboard annonyances of every-day life too, but sometimes IRL, people code explicitly for those versions which later become vulnerable and they need to assess if any business logic is going to be broken via the upgrades. Sometimes you spend extra money on segregation/data separation/egress monitoring to keep the business running on vulnerable software while fixes are put in place. It would be fun to see the look on everryone's faces making Robin-Hood style fixes on all these things, but realistically it just makes you look as douchey as the original exploit author.

      --
      Join the Slashcott! Feb 10 thru Feb 17!
    3. Re:Idea by aztracker1 · · Score: 1

      They don't even need to update the Rails version, just change the default encryption key used for the secure cookies token(s).

      --
      Michael J. Ryan - tracker1.info
  5. One reason your web server firewall might want to by Anonymous Coward · · Score: 0

    Yup,
    so the botnet creators will finally switch to using pastebin or some other service of this kind.

  6. Ruby on Fails by Anonymous Coward · · Score: 1

    When will people realise how risky it is to have someone build you a rails based site? They require constant security patching, run so slowly, and are often built by people who claim to be developers, but in reality security and performance are words they don't understand.

    Remember - Rails to pose, Python based frameworks for pros.

    It really is shocking how many Brogrammers out there think software engineering and good architecture can be achieved by gem or bundle install.

    1. Re:Ruby on Fails by noh8rz10 · · Score: 1

      i like the term brogrammers... wolfpack!

  7. transmogification by nozzo · · Score: 1

    Ruby on Wax

    -- I'm feeling silly today --

  8. Jeff Jarmoc ... by Anonymous Coward · · Score: 0

    ... and Jalad ... at Tanagra.

    1. Re:Jeff Jarmoc ... by Iskender · · Score: 1

      The exploit CVE-2013-0156 of Tanagra.

  9. wake me by wbr1 · · Score: 1

    For an irc sky net please.

    --
    Silence is a state of mime.
  10. Re:One reason your web server firewall might want by Anonymous Coward · · Score: 0

    So your web server has reason to access pastebin or some other service of this kind?

  11. How long... by Thantik · · Score: 2

    until someone makes a Bitcoin farming botnet out of all these Ruby on Rails hosts?

    1. Re:How long... by Anonymous Coward · · Score: 0

      until someone makes a Bitcoin farming botnet out of all these Ruby on Rails hosts?

      It's Ruby. How many decades would it take an infinite Ruby botnet to farm a single Bitcoin?

    2. Re:How long... by Anonymous Coward · · Score: 0

      Its not a ruby based botnet... Its exploiting a bug in ruby on rails framework. The botnet is a shitty IRC botnet.

  12. Or... by Anonymous Coward · · Score: 0

    One reason your web server firewall might want to block IRC connections to arbitrary hosts.

    Alternatively, it's also another good reason to not use Rails...

  13. Somebody please help me by fredrated · · Score: 2

    I am being forced to learn RoR as part of my job. Should I shoot myself?

    1. Re:Somebody please help me by Anonymous Coward · · Score: 0

      Yes!

    2. Re:Somebody please help me by Anonymous Coward · · Score: 0

      Yes! More available job market for me!

    3. Re:Somebody please help me by iluvcapra · · Score: 1

      Don't, you'll go to hell, where you'll be forced to write a data warehousing backend for Satan's business affairs platform, which runs WebObjects.

      --
      Don't blame me, I voted for Baltar.
    4. Re:Somebody please help me by Anonymous Coward · · Score: 0

      If you hate your job that much, yeah. Otherwise be glad that you're employed in such a shitty market and shut the fuck up.

    5. Re:Somebody please help me by Anonymous Coward · · Score: 0

      When did Satan upgrade from COBOL?

    6. Re:Somebody please help me by fredrated · · Score: 1

      I don't hate my job as such but RoR makes me want to puke.

    7. Re:Somebody please help me by tibman · · Score: 1

      Oh, cobol is still there. We are interfacing the two systems.

      --
      http://soylentnews.org/~tibman
    8. Re:Somebody please help me by iluvcapra · · Score: 1

      The pain is that for compliance reasons we have to row-replicate our "live" records to Santa and the Easter Bunny every month, sometimes more frequently around their rush periods. Fortunately, we did their original database transition in 1973* -- we just use some old JCL scripts someone put together at the time, they still seem to work.

      *It's a little known fact that Our Dark and Imperious Prince of Lies actually operated a major consultancy in the 70s. SAP took over most of our clients in the early 80s when we transitioned into the consumer space (you've probably used our toner cartridges). Anyways that's why we did Leo Apotheker such a big favor.

      --
      Don't blame me, I voted for Baltar.
    9. Re:Somebody please help me by Xest · · Score: 1

      No, shoot whoever decided it would be a good idea instead.

  14. IRC by Anonymous Coward · · Score: 0

    Just block IRC from your network completely. Its main use nowadays seems to be for criminal hacking.

  15. Fines by ThatsNotPudding · · Score: 1

    At least where they have regulatory authority (USA), the FCC needs to start fining people running servers with blatant security holes that they ignore. A sliding scale based on the percentage of the organizations' income, with real non-profits exempt (except blocked until they patch). This might finally get some folks' attention who think they can setup a server (or hire someone to set it up) but not maintain it as long as they're making money.

    1. Re:Fines by Jawnn · · Score: 1

      That, or require a license, granted on demonstration of suitable proficiency, before being allowed to run _any_ server that is connected to the Internet. Yeah, that'll happen.

    2. Re:Fines by Anonymous Coward · · Score: 0

      That, or require a license, granted on demonstration of suitable proficiency, before being allowed to run _any_ server that is connected to the Internet. Yeah, that'll happen.

      Oh, right. That'd be great.

      Government regulation over who can connect to the internet.

      Hell, let's put that wonderful non-partisan IRS in charge.

      They'll NEVER abuse their power.....

  16. Firewall by Vrtigo1 · · Score: 1

    If your webserver firewall allows outbound connections to anything you can't easily provide an explanation for then you need to be sent to a remedial network security course. All our devs hate me because everytime they deploy something to production it inevitably breaks because they didn't submit a request to have the necessary ports opened in the firewall, but I'd rather deal with devs hating me than me hating devs because their insecure apps got us hacked.

    1. Re:Firewall by Anonymous Coward · · Score: 0

      Once you open a single port for outbound connections, you lose the ability to stop malware from using your server as a base of operations.

      Of course, drop all outbound traffic and you are screwed.

      Moral: A firewall can not protect you.

  17. Diaspora by readingaccount · · Score: 1

    Well this would be a shame for Diaspora if anyone actually used it...