Hacker News new | ask | show | jobs
by patio11 4893 days ago
This simple command line tool to execute arbitrary code on your server works, kids. I'm also north of 90% probable that I could weaponize it to turn any image tag on the Internet into "roots your local machine", and 100% certain I could do so for any page I could coerce to execute JavaScript.

You need to patch. Now.
3 comments
spohlenz 4893 days ago
> I'm also north of 90% probable that I could weaponize it to turn any image tag on the Internet into "roots your local machine"

Definitely not saying you're wrong, but I'm not convinced this is doable. Every exploit I've seen requires a request body -- how would you do that with an IMG tag?

link
patio11 4893 days ago
Go on a Rails security safari, armed with the knowledge that any YAML parsing is victory, and pay very careful attention to code paths involving Rails/Rack route/parameter processing, especially anything which smells of magic. To clarify: I haven't actually done the work yet.

I'm actually going on a Rails security safari later, though not particularly looking to widen this/these vulnerabilities. I figure I've gotten enough out of the community over the years to contribute part of a workweek and get one more hole plugged.

link
postmodern_mod3 4892 days ago
Not unless nginx/apache routes the request directly to public/. There will definitely be more code-paths to YAML.load, but so far ActionDispatch::Http::Parameters has been the entry point.
link
tedunangst 4893 days ago
I think you mean roots some webserver machine, not the local machine running the browser?
link
patio11 4893 days ago
I mean "This will also let the adversary root your Macbook, Rails developers, if e.g. localhost:3000 is running an unpatched Rails app."

One would think this is strictly less important than "root your server" but that hasn't been true for 100% of Rails developers that I've recently spoken to so, if losing your Macbook is the inducement you need to drop everything you are doing and patch, I will supply that inducement liberally.

link
euroclydon 4891 days ago
My website gets a handful of single-page visits, referred from some real sketchy domains, every day. They are very regular and appear to be automated. I wonder if it's part of a broader scam to get website owners to visit sites which root their dev machine via 0-day browser or server vulnerabilities?
link
tedunangst 4893 days ago
oh, yeah, that too. :)
link
postmodern_mod3 4893 days ago
Bonus points if you exfiltrate config/initializers/secret_token.rb.
link