[benmmurphy]

An attacker can execute any ruby code he wants including system("unix command"). This effects any rails version for the last 6 years. I've written POCs for Rails 3.x and Rails 2.x on Ruby 1.9.3, Ruby 1.9.2 and Ruby 1.8.7 and there is no reason to believe this wouldn't work on any Ruby/Rails combination since when the bug has been introduced. The exploit does not depend on code the user has written and will work with a new rails application without any controllers.

Here is the commit where it was introduced: https://github.com/rails/rails/commit/27ba5edef1c4264a8d1c0e...

[tptacek]

I can confirm most of what Ben says directly. What I can't confirm, I can't confirm only because Ben is smarter than me about this stuff.

[jerf]

I don't speak Ruby. Can you or someone else be more precise about where that introduces the vulnerability? (Surely it isn't that YAML::load(content) can run arbitrary shell code?)

[tptacek]

Calling YAML::load on attacker-controlled content in a Ruby app of any complexity is very bad news. As Ben and 'judofyr said: this is remote code execution.

[aaronblohowiak]

Is this because Yaml doesn't whitelist the classes for the objects that may be instantiated? They are allocated and then instance_variable_set'd so I'd be Very interested to learn how this poses a risk.

[tptacek]

The people saying that they have POC code for remote code exec aren't making it up.

[aaronblohowiak]

If I implied that I doubted them, then I failed to communicate my point effectively -- I am very curious about how to turn a class allocate + instance_variable_set into remote code exec. I see how you can create the arel objects for sqli, but not arbitrary ruby.

[jgeralnik]

If you wait a couple of weeks you are much more likely to get an answer. Since all rails apps were vulnerable, most people who know how to execute arbitrary code are keeping silent for now.

[cmpb]

It's not a full-on answer, but it should clear up a little bit about how this vulnerability is possible.

http://www.insinuator.net/2013/01/rails-yaml/

[regularfry]

Sorry, would you mind clarifying? Any Ruby app? So a Sinatra app which happened to YAML.load would also be at risk?

[tptacek]

Yes, if attackers controlled the content of the YAML message.

[Turing_Machine]

In much the same way that letting attackers control the parameters to fork() would be a bad idea for a C program or letting attackers control the parameters to Runtime.exec() would be a bad idea for a Java program.

This is a Rails vulnerability, not a Ruby vulnerability.

[judofyr]

I think it's better to not discuss this openly for a few days. The exploit isn't obviously (as you've noticed) so hopefully users will be able to upgrade before the script kiddies discovers this.

[jerf]

Understood, and question withdrawn. Thanks for the answer. I look forward to your future public disclosure. (I mean that sincerely, not as a poke.)

[marshray]

In the meantime, can you confirm that the disabling of XML and YAML inputs fully mitigates the RCE as well as the SQLi?

[tptacek]

The vectors for both are the same. The term "SQLI" here is very misleading.

[judofyr]

Yes.

[rwjblue]

From the rubyonrails-security list:

https://groups.google.com/forum/#!topic/rubyonrails-security...