Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ruby On Rails Exploit Used To Build IRC Botnet

Posted by Unknown on from the bad-script-kiddie dept.

Trailrunner7 writes "Developers who have not updated their Ruby on Rails installations with a five-month-old security patch would do well to secure the Web development framework now. Exploit code has surfaced for CVE-2013-0156 that is being used to build a botnet of compromised servers. Exploit code has been publicly available since the vulnerability was disclosed in January on Github and Metasploit, yet the vulnerability had not been exploited on a large scale until now, said security researcher Jeff Jarmoc." One reason your web server firewall might want to block IRC connections to arbitrary hosts.

14 of 91 comments (clear)

  1. Re:Hah! by noh8rz10 · · Score: 2

    what the heck IS ruby on rails? is it two separate things, or one thing? is it like PHP or CSS? I'm bewildered by the technological change on the web. not that I did not say technological advancement, just technological change.

  2. Fix is here... by mystikkman · · Score: 5, Funny

    Fix is here.

    http://www.asp.net/

  3. Idea by stewsters · · Score: 4, Interesting

    From TFA:
    There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.

    So, basically we could take control of theses servers and force them to update to the newest version of rails?

  4. Re:Hah! by Viol8 · · Score: 2, Informative

    Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name

  5. Re:Is there a reason *not* to block ports? by Aaden42 · · Score: 2

    No. And quite a few good reasons to block them.

    That said, most webservers have no firewall to speak of in front of them and are run by "administrators" who don't even know how to configure the hosts's software firewall properly to block unwanted traffic (or on shared hosting where the host has no interest in the complexities of managing the software firewall for multiple users).

  6. How long... by Thantik · · Score: 2

    until someone makes a Bitcoin farming botnet out of all these Ruby on Rails hosts?

  7. Re:Is there a reason *not* to block ports? by Anonymous Coward · · Score: 2, Funny

    That's a damned good point...I wish someone would pop in here and give us some of the secret inner workings of the HOSTS file...

  8. Re:Hah! by Tarlus · · Score: 4, Funny

    It's a locomotive-driven precious stone.

    --
    /* No Comment */
  9. Re:Hah! by Anonymous Coward · · Score: 2, Interesting

    Yeah, took a while to get rid of the plague in the Middle Ages as well, didn't it?

  10. Somebody please help me by fredrated · · Score: 2

    I am being forced to learn RoR as part of my job. Should I shoot myself?

  11. Re:Hah! by Jane+Q.+Public · · Score: 4, Insightful

    "Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name"

    It's a well-designed and successful framework that has been in mainstream use now for around 10 years.

    This "vulnerability" only applies to applications in which the developers did not alter the default value of a cryptographic key, as they are supposed to do. It's roughly the equivalent of leaving your house key in the front door lock.

    Why the framework has been catching so much flak over what is actually a developer issue is beyond my understanding. There are, and have been, clear plain-English instructions that the value of that key should be changed for every new application you create.

    You blame users for not changing the default password (cryptographic key) on their WiFi router... you don't blame the router manufacturer. So why fault this framework because some people didn't change the default "password"??? Makes no sense.

  12. Re:Hah! by Dragonslicer · · Score: 2

    Ruby is a programming language. The "Rails" part of Ruby on Rails is a framework. It's roughly equivalent to the difference between C# and .NET.

  13. Re:Hah! by wumpus188 · · Score: 4, Informative

    (1) Rails and Ruby was virtually unheard of until 2007-2008 and definitely was not in mainstream use until that time.

    (2) This vulnerability has nothing to do with "cryptographic key"; it is related to the fact that default YAML parser allows serializing/deserializing and executing arbitrary Ruby code (including objects) and ActiveSupport didn't properly sanitize the input.

  14. Re:Hah! by Jane+Q.+Public · · Score: 2

    "(1) Rails and Ruby was virtually unheard of until 2007-2008 and definitely was not in mainstream use until that time."

    That's pretty funny. I got my degree in Web development in 2005, and we had been studying it for a year. I then went to work for a company that had similarly been using it in production for about a year.

    "(2) This vulnerability has nothing to do with "cryptographic key"; it is related to the fact that default YAML parser allows serializing/deserializing and executing arbitrary Ruby code (including objects) and ActiveSupport didn't properly sanitize the input."

    Yes, it does. The vulnerability does not exist if the key for the authentication token is not changed from the default.