Run arbitrary code in Rails
In short: Rails 2,3 and 4 applications are subject to arbitrary code execution (RCE) without exception. Went, reading and cleaning the database, whatever you want.
A little more. Not so long ago, many people noticed that rails, by default, accept not only x-www-form-urlencoded parameters, but also XML / JSON. And XML internally also accepts a data type like YAML:
And YAML, in turn, is a very flexible format and allows you to create instances of arbitrary classes with a subsequent task through the [] method of arbitrary parameters - for example.
And in turn, in the huge class architecture of Rails and related jams, you can find such a class that during its initialization (initialize) or attribute assignment through [], arbitrary code from the same YAML text was executed.
The craftsmen found several ways - for example through the class ActionDispatch :: Routing :: RouteSet :: NamedRouteCollection
An article describing the official blog and recommendations for updating.
PS The exploit has been online for 12 hours. Epic. you were warned
A little more. Not so long ago, many people noticed that rails, by default, accept not only x-www-form-urlencoded parameters, but also XML / JSON. And XML internally also accepts a data type like YAML:
<foo type="yaml"> ... </foo> And YAML, in turn, is a very flexible format and allows you to create instances of arbitrary classes with a subsequent task through the [] method of arbitrary parameters - for example.
And in turn, in the huge class architecture of Rails and related jams, you can find such a class that during its initialization (initialize) or attribute assignment through [], arbitrary code from the same YAML text was executed.
The craftsmen found several ways - for example through the class ActionDispatch :: Routing :: RouteSet :: NamedRouteCollection
An article describing the official blog and recommendations for updating.
PS The exploit has been online for 12 hours. Epic. you were warned
')
Source: https://habr.com/ru/post/165343/
All Articles