The vulnerability, CVE-2013-0156, was found in the JSON code for Ruby on Rails 3.0 and 2.3 in January, and was patched in that same month. It allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a denial-of-service attack on an RoR application.
“This vulnerability was the subject of much discussion, and an emergency RoR advisory back in January,” said security expert Jeff Jarmoc, in his blog. “It’s pretty surprising that it’s taken this long to surface in the wild, but less surprising that people are still running vulnerable installations of Rails. It also appears to be affecting some web hosts.”
In this case, the exploit is used to set up an IRC bot, which connects to one of three command-and-control servers (all of which are now down, Jarmoc said) and joins the channel #rails. The script uses a randomly generated nine-character nickname when connecting to IRC.
“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers,” Jarmoc said. “There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.”
He added, “In short, this is a pretty straightforward skiddy exploit of a vulnerability that has been publicly known, and warned about, for months. That isn’t to say it won’t make a bad day for some people, though.”
Indeed, it should be a red flag for those running Ruby on Rails 3.0 and below. The RoR advisory warns that, “The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.”
In other words, an attacker can execute any Ruby code he/she wants, including system commands, meaning that unpatched versions "put thousands of production web sites at risk of remote compromise," as researcher Ben Murphy noted when the flaw was discovered.