Botnet Builds off Ruby on Rails Bug

Wednesday, May 29, 2013 @ 01:05 PM gHale

Patches, as mentioned countless times, should end up implemented or there could be consequences down the road.

Take Ruby on Rails as a case in point. A five-month-old security patch could secure the Web development framework now as exploit code has surfaced for CVE-2013-0156 that is in the process of building a botnet of compromised servers.

Ruby on Rails Patches Holes
Botnet Comes Back with DGA Gusto
Botnets Attack Israeli Websites
BackDoor Botnet Taken Over

Exploit code has been publicly available since the vulnerability first came out in January on Github and Metasploit, yet the vulnerability had not suffered exploitation on a large scale until now, said security researcher Jeff Jarmoc.

“I don’t have much evidence as to what the actor may be doing with their compromised machines,” Jarmoc said.

Jarmoc said he found three command and control servers, all of which are down at the moment. The domains previously hosted Trojans and other malware targeting compromised machines.

The exploits set up an IRC chat relay bot that connects to 188[.]190[.]124[.]81 and joins a channel called #rails. The code will execute only once on an infected host.

“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers,” Jarmoc wrote on his blog. “There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.”

A patch for the Ruby on Rails framework came out Jan. 8 and developers urged users to upgrade to versions 3.2.11, 3.1.10, 3.0.19 or 2.3.15, all of which are no longer vulnerable. The advisory issued in January said the vulnerability allows attackers to bypass authentication systems, inject SQL commands, inject and execute code or crash a Rails application.

Despite the five-month window between the patch and the availability of exploit code, a number of Rails frameworks remain unpatched. Jarmoc said some organizations may not realize they are running vulnerable installations, in spite of security advisories on the matter.

“It’s not particularly hard to update Rails, but as with any update there’s a possibility of unintended effects on applications. This alone can cause hesitation in some cases,” Jarmoc said. “There’s a small amount of downtime needed to patch, but downtime-sensitive environments can rely on load balancing, redundant servers, etc. to mitigate that.”

“Given the deployed base of Rails, even a small percentage success rate is likely to compromise a significant number of servers,” Jarmoc said.

Leave a Reply

You must be logged in to post a comment.