[cheald]

I'm pretty sure that the injection only works when you can forge a session because sessions may contain marshalled symbols, and the dynamic finders only accepted symbol option keys as valid. You can't get Rails to construct symbols out of a params hash. Is this a separate vulnerability?

[tptacek]

You can get Rails to construct symbols out of a params hash in some cases.

[cheald]

Seconding icambron - how? Because I've been up and down that code and can't see any way to do it. Frankly, I don't think it's possible, because otherwise you would have a trivial DOS vector into any Rails application.

[tptacek]

It is possible, but not straightforwardly. There isn't a code path I know of that converts param keys to symbols.

(I wouldn't have said it was possible unless I had a curl line that did it, for what it's worth.)

[cheald]

You're the expert here, but that's really disturbing. Is it fixable?

[ufo]

How is this a DOS vector? Would passing a symbol instead of a string in the parameters cause the app to crash?

[tptacek]

No; the theory behind that attack is, Rails doesn't GC symbols, so you could just repeatedly stuff requests that created new symbols until memory was exhausted. I don't care about that attack (there are others like it), but it's viable.

[cheald]

Symbols are interned and never garbage collected, so if you can cause an app to create arbitrary symbols, you can cause it to use up all the RAM on the machine and throw it into swap, effectively killing its ability to respond to requests in any kind of timely fashion.

[icambron]

Honest question: how?

[kill9]

I doubt tptacek will publicly reveal ways to exploit this (or any) vulnerability.

EDIT Well... he might, but I've never seen him do it. He's a security professional, after all.