×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ruby On Rails Exploit Used To Build IRC Botnet

Unknown Lamer posted about a year ago | from the bad-script-kiddie dept.

Botnet 91

Trailrunner7 writes "Developers who have not updated their Ruby on Rails installations with a five-month-old security patch would do well to secure the Web development framework now. Exploit code has surfaced for CVE-2013-0156 that is being used to build a botnet of compromised servers. Exploit code has been publicly available since the vulnerability was disclosed in January on Github and Metasploit, yet the vulnerability had not been exploited on a large scale until now, said security researcher Jeff Jarmoc." One reason your web server firewall might want to block IRC connections to arbitrary hosts.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

91 comments

Hah! (1)

Anonymous Coward | about a year ago | (#43849957)

Any developers that would use Ruby on Rails to start with deserve to be Pwned.

Re:Hah! (2)

noh8rz10 (2716597) | about a year ago | (#43850021)

what the heck IS ruby on rails? is it two separate things, or one thing? is it like PHP or CSS? I'm bewildered by the technological change on the web. not that I did not say technological advancement, just technological change.

Re:Hah! (2, Informative)

Viol8 (599362) | about a year ago | (#43850065)

Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43850191)

flavour of the month, 10th birthday soon.

Re:Hah! (2, Interesting)

Anonymous Coward | about a year ago | (#43850483)

Yeah, took a while to get rid of the plague in the Middle Ages as well, didn't it?

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43850593)

flavour of the month, 10th birthday soon.

BFD

Windows has been around what? 25 years? Maybe in 15 years Ruby will be as secure and stable as Windows.

But performance wise? Ruby will always be out of its depth in a July Florida parking lot puddle.

Ruby is a nice toy for people who can't code to write web sites for 10 users at a time.

Re:Hah! (1)

Anonymous Coward | about a year ago | (#43850827)

flavour of the month, 10th birthday soon.

BFD

Windows has been around what? 25 years? Maybe in 15 years Ruby will be as secure and stable as Windows.

But performance wise? Ruby will always be out of its depth in a July Florida parking lot puddle.

Ruby is a nice toy for people who can't code to write web sites for 10 users at a time.

Yeah, GitHub, Shopify and the Twitter frontend seem to be struggling to find users. Maybe they have 10 between them? Right? *nudges elbow* Right?

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43851689)

There is a reason why its twitter's front end, and not all of twitter as it once was. It seems like switching the back end from Ruby to scala finally got reduced the apperance of the fail whale. Otherwise known as the ruby fail whale

Re:Hah! (0)

Anonymous Coward | about 10 months ago | (#43992703)

The TwitFucks had issues because they were using MySQL as their message queue.

Nothing to do with Rails or Ruby.

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43850951)

And still just as crappy and insecure as when it was first conceived. But, hey, it sounds cool to the other hipsters at Starbucs while also showing off your MacBook Pro, no?

Re:Hah! (1)

aztracker1 (702135) | about a year ago | (#43852395)

The cool kids have mostly moved on to NodeJS and Express. I like NodeJS and Express myself, but was into JS long before all the cool kids came along.

Re:Hah! (1)

dkf (304284) | about a year ago | (#43854375)

Time to move on then. You can't let those cargo-cult following "cool kids" catch up...

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43850365)

Its

"It's"

a poorly designed flavour of the month language

It's not a language.

Re:Hah! (1)

Tarlus (1000874) | about a year ago | (#43851141)

It's not a language.

Um? Yes it is.

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43851621)

It's not a language.

Um? Yes it is.

You can repeat it all you want. RoR is NOT a language. Perhaps you'd call Zope a language to! :S

Re:Hah! (2)

Dragonslicer (991472) | about a year ago | (#43852069)

Ruby is a programming language. The "Rails" part of Ruby on Rails is a framework. It's roughly equivalent to the difference between C# and .NET.

Re:Hah! (1)

Tarlus (1000874) | about a year ago | (#43853655)

Well, the post I replied to singled out an explanation of Ruby itself, and not the remaining "with a poorly designed API intended for web use" portion.

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43850501)

Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name

And the implementation could suck a bowling ball through a cast-iron sewerpipe - golf ball through a garden hose is a piece of cake.

Try compiling Ruby with all GCC optimizations turned on - your binary probably won't work at all. The shitbirds who wrote that crap code do things like completely abuse restrictions on the use of setjmp/longjmp.

God only knows what abusing fundamental restrictions like that do to the security of a binary exposed to whatever web network you put it on.

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43851011)

He was talking about Ruby on Rails not Django.

Re:Hah! (4, Insightful)

Jane Q. Public (1010737) | about a year ago | (#43851889)

"Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name"

It's a well-designed and successful framework that has been in mainstream use now for around 10 years.

This "vulnerability" only applies to applications in which the developers did not alter the default value of a cryptographic key, as they are supposed to do. It's roughly the equivalent of leaving your house key in the front door lock.

Why the framework has been catching so much flak over what is actually a developer issue is beyond my understanding. There are, and have been, clear plain-English instructions that the value of that key should be changed for every new application you create.

You blame users for not changing the default password (cryptographic key) on their WiFi router... you don't blame the router manufacturer. So why fault this framework because some people didn't change the default "password"??? Makes no sense.

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43852375)

It's a well-designed and successful framework

Successful, maybe. Well-designed: absolutely not.

Re:Hah! (1)

sneakyimp (1161443) | about a year ago | (#43852409)

Botnet on Rails lol!

It's been the case in PHP for years that various features which make it easy to use also make it easy to exploit (register_globals, for instance). It's that easy-to-use quality which draws low-grade coders to these technologies. Additionally, even an excellent Ruby/Rails coder might follow all best practices and yet the machine still gets compromised by a bug at the web server or OS level. It seems pretty obvious that the higher your stack of coding abstraction gets, the more holes it will inevitably have, and the poorer its performance. The more intuitive and simple you make it, the more bad coders it will draw.

On the other hand, your abstraction is easier to understand and more expressive. Try programming a (secure) web application in assembler.

Re:Hah! (4, Informative)

wumpus188 (657540) | about a year ago | (#43855009)

(1) Rails and Ruby was virtually unheard of until 2007-2008 and definitely was not in mainstream use until that time.

(2) This vulnerability has nothing to do with "cryptographic key"; it is related to the fact that default YAML parser allows serializing/deserializing and executing arbitrary Ruby code (including objects) and ActiveSupport didn't properly sanitize the input.

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43857115)

(1) Rails and Ruby was virtually unheard of until 2007-2008

That's interesting. I was working with a company around that time who were very well established in Rails development. Finding developers was a walk in the park, and the community was huge and very active. I don't know what you classify as "virtually" unheard of.

Re:Hah! (2)

Jane Q. Public (1010737) | about a year ago | (#43857769)

"(1) Rails and Ruby was virtually unheard of until 2007-2008 and definitely was not in mainstream use until that time."

That's pretty funny. I got my degree in Web development in 2005, and we had been studying it for a year. I then went to work for a company that had similarly been using it in production for about a year.

"(2) This vulnerability has nothing to do with "cryptographic key"; it is related to the fact that default YAML parser allows serializing/deserializing and executing arbitrary Ruby code (including objects) and ActiveSupport didn't properly sanitize the input."

Yes, it does. The vulnerability does not exist if the key for the authentication token is not changed from the default.

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43858783)

"That's pretty funny. I got my degree in Web development in 2005"

Degree in web development? Is that like Computer Science but without the rigour and more focus on bad languages like PHP and Javascript?

Re:Hah! (1)

Jane Q. Public (1010737) | about a year ago | (#43861243)

"Degree in web development? Is that like Computer Science but without the rigour and more focus on bad languages like PHP and Javascript?"

No.

For one thing it's an Associates Degree, and for another it isn't intended to be any kind of substitute or "weaker version" of CS. It's Web Development

But for the record, in case that's what you're implying, I was studying for a Computer Engineering major, and I got the AS in Web Development as a separate (and in many ways unrelated) side discipline.

Having said that, I agree that PHP and JavaScript are bad languages. I wouldn't even call PHP a "language", per se. It's just a huge jumble of inconsistent utility functions.

Re:Hah! (0)

Anonymous Coward | about 10 months ago | (#43992799)

That is pretty funny the butt-hurt lamers were crying about RoR in 2005.

Re:Hah! (1)

aztracker1 (702135) | about a year ago | (#43852371)

I don't know that it was poorly designed... I think of it as mostly an extension to Perl, not that I write much of either. It doesn't really appeal to me, but that doesn't mean one can't appreciate it as a language. I've been a fan of JS before all the cool kids took notice, but it has a lot of warts, just the same, it's garnered a lot of attention for use in certain scenarios where it is a good fit, perhaps JS+NodeJS isn't as good a fit as Lua+Luvit, but it works, and is a widely used language.

That said, I've done most of my server-side coding for the better part of a decade in C# (.Net). I've seen plenty of people doing stupid stuff in the language/platform. You can build crap in any platform... not to mention that platform vulnerabilities happen, though imho less often than diy platforms tend to have. It's important to keep up on security updates.

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43850085)

People keep telling me to "google' things, but I'm tired of this, seems too much like they're trying to get ne to some hacker website. What the fuck is a "google" anyways?

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43851469)

It is a common reply by people too lazy to respond, or maybe they just don't know the answer and can't admit it.

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43850203)

Don't worry, no one's ever actually used it, and no one will. *yawn*

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43851275)

I keep reading your post but I only see "What the heck is Google?"

Re:Hah! (0)

Anonymous Coward | about a year ago | (#43851627)

Ruby is a scripting language

Ruby on Rails is a framework for that language, like CakePHP or CodeIgniter are frameworks for PHP

Re:Hah! (1)

Bill, Shooter of Bul (629286) | about a year ago | (#43851717)

part of the confusion, is that most people heard of php before cake, code igniter or zend. Most people learned of ruby through Ruby on Rails and just assumed it was a language. Rather than a language and a third party framework.

Re:Hah! (0)

Anonymous Coward | about 10 months ago | (#43992867)

Ruby is a full-featured language and decidedly not a scripting language

Re: Hah! (1)

Greyfox (87712) | about a year ago | (#43852827)

It's a flavor of kool aid they want you to drink. It's composed od several other very bad flavors, most distinct of which are active record and magic. Active record is also very magic-flavored, which one might find confusing until they figure out what this is all about. If you read about it, it sounds delicious. Once you actually find out how it's made, you might change your mind. And you have to find out how it's made if you actually want to do anything useful with it.

Re: Hah! (1)

dkf (304284) | about a year ago | (#43854439)

If you read about it, it sounds delicious. Once you actually find out how it's made, you might change your mind. And you have to find out how it's made if you actually want to do anything useful with it.

It's also capable of being seriously mind-bending when it screws something up. (Today, we found the weirdest of problems with encoding handling in templates. On one level I can see what exactly happened and how it came to pass, but on another level WHY, OH GREAT FLYING SPAGHETTI MONSTER? WHY?)

I WANT MY RUBY ON CRANK !! (-1)

Anonymous Coward | about a year ago | (#43849981)

This way I know I'll be done in a flash !! Way before they can find me and take me to the basement and torture me to try and get all the info I have on them !! I know who they are !!

Is there a reason *not* to block ports? (1, Insightful)

Anonymous Coward | about a year ago | (#43850039)

Is there any reason to keep any port open which you don't intend to use?

Re:Is there a reason *not* to block ports? (2)

Aaden42 (198257) | about a year ago | (#43850171)

No. And quite a few good reasons to block them.

That said, most webservers have no firewall to speak of in front of them and are run by "administrators" who don't even know how to configure the hosts's software firewall properly to block unwanted traffic (or on shared hosting where the host has no interest in the complexities of managing the software firewall for multiple users).

Re:Is there a reason *not* to block ports? (2, Funny)

Anonymous Coward | about a year ago | (#43850363)

That's a damned good point...I wish someone would pop in here and give us some of the secret inner workings of the HOSTS file...

Re:Is there a reason *not* to block ports? (0)

Anonymous Coward | about a year ago | (#43869089)

ZALGO! HE COMES!

Re:Is there a reason *not* to block ports? (1)

Anonymous Coward | about a year ago | (#43851069)

Is there any reason to keep any port open which you don't intend to use?

First off, the advice is not to close "open" ports, it is to restrict outbound traffic to commonly used IRC ports. I say commonly used, because IRC can and does run all over the port range, the standard port of 6667 is just a recommendation.

Secondly, it's not ports you need to block, you need to block new outgoing connections. A web client could easily be using a local port of 6667, so simply blocking all traffic to destination port 6667 will piss off real users real quick. Instead, you want to block all new outgoing connections. New incoming connections are fine, related connections are fine.

Most firewalls do not do this. Most will simply do what the above coward suggested, and block all unused local ports on the server. Well done, totally missed the point.

Fix is here... (5, Funny)

mystikkman (1487801) | about a year ago | (#43850045)

Fix is here.

http://www.asp.net/ [asp.net]

Re:Fix is here... (0)

Anonymous Coward | about a year ago | (#43850135)

Not sure if +1 funny or -1 stupid.

Re:Fix is here... (0)

Anonymous Coward | about a year ago | (#43850247)

Not sure if -1 Went over your fucking head or -1 Idiotic fanboy freetard

Re:Fix is here... (0)

Anonymous Coward | about a year ago | (#43854137)

Not sure if you are such as asshole because you are 12 or if just too fucking ugly to get laid

Re:Fix is here... (0)

Anonymous Coward | about a year ago | (#43857409)

Neither, why do you do it?

Re:Fix is here... (0)

Anonymous Coward | about a year ago | (#43935723)

Not sure if you are such as asshole because you are 12 or if just too fucking ugly to get laid

And I guess you're both these things? Grow up.

Re:Fix is here... (0)

Anonymous Coward | about a year ago | (#43850281)

He just tells them to do like Cleopatra and kill themselves with long, painful death of venomous snake bite.

Nobody likes Ruby on Rails programmers.

Re:Fix is here... (0)

Anonymous Coward | about a year ago | (#43850339)

Bah. Wasteful bloat and unneeded garbage. Plus, not cross-platform. Correct fix is here [boutell.com] , or possibly here [webtoolkit.eu] .

(I'm half joking, half telling you kids to get off my lawn and take your w3 with you.)

Re:Fix is here... (1)

aztracker1 (702135) | about a year ago | (#43852481)

Ouch... lets just scale the risk of memory leaks out a lot while we're at it...

I don't care for the WebForms event model (lots of bloat and overhead), but the ASP.Net MVC model is pretty efficient (even compared to C) at scale. I would also note there is Mono if you want to do cross platform .Net (personally, I think it's more painful to configure than my time is worth and would rather buy an MS license for Windows Web Server in a business environment). I've actually been considering taking my handful of personal-use .Net sites over to Mono.

I've been finding lately that I really like NodeJS and Express more than anything else out there. Yeah, I don't get a lot of the IDE benefits (WebStorm is nice enough for me), but the paradigm is so much cleaner.

Idea (4, Interesting)

stewsters (1406737) | about a year ago | (#43850057)

From TFA:
There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.

So, basically we could take control of theses servers and force them to update to the newest version of rails?

Re:Idea (0)

Anonymous Coward | about a year ago | (#43851077)

No. This comment is in regards to the bots. You could join the IRC server and issue commands to the bots.

Re:Idea (1)

sl4shd0rk (755837) | about a year ago | (#43851233)

take control of theses servers and force them to update to the newest version of rails?

Yes and after we are done there:
- find all the Hummers and downgrade the knobby tires to all-season tires for better gas mileage/less noise pollution.
- hand out equipment viloations for every small-dick harley biker running annoying/illegal straight-pipe exhaust.
- hit every Walmart parking lots and jimmie the gas caps so we can upgrade everyone to cleaner burning fuel instead of the 87 octane everyone is using.
- Storm over the counter at every McDonalds and substitute the "beef" burgers with Tofurkey to save everyone's HDL.
- Use the current Rails exploit to hack EC2 and remove every Bieber/Lady Gaga download to save everyone from themselves.

I'd love to fix all these finger-nail-on-chalkboard annonyances of every-day life too, but sometimes IRL, people code explicitly for those versions which later become vulnerable and they need to assess if any business logic is going to be broken via the upgrades. Sometimes you spend extra money on segregation/data separation/egress monitoring to keep the business running on vulnerable software while fixes are put in place. It would be fun to see the look on everryone's faces making Robin-Hood style fixes on all these things, but realistically it just makes you look as douchey as the original exploit author.

Re:Idea (1)

aztracker1 (702135) | about a year ago | (#43852497)

They don't even need to update the Rails version, just change the default encryption key used for the secure cookies token(s).

One reason your web server firewall might want to (0)

Anonymous Coward | about a year ago | (#43850063)

Yup,
so the botnet creators will finally switch to using pastebin or some other service of this kind.

Re:One reason your web server firewall might want (0)

Anonymous Coward | about a year ago | (#43850285)

So your web server has reason to access pastebin or some other service of this kind?

Ruby on Fails (1)

Anonymous Coward | about a year ago | (#43850093)

When will people realise how risky it is to have someone build you a rails based site? They require constant security patching, run so slowly, and are often built by people who claim to be developers, but in reality security and performance are words they don't understand.

Remember - Rails to pose, Python based frameworks for pros.

It really is shocking how many Brogrammers out there think software engineering and good architecture can be achieved by gem or bundle install.

How long... (2)

Thantik (1207112) | about a year ago | (#43850291)

until someone makes a Bitcoin farming botnet out of all these Ruby on Rails hosts?

Re:How long... (0)

Anonymous Coward | about a year ago | (#43850635)

until someone makes a Bitcoin farming botnet out of all these Ruby on Rails hosts?

It's Ruby. How many decades would it take an infinite Ruby botnet to farm a single Bitcoin?

Re:How long... (0)

Anonymous Coward | about a year ago | (#43851339)

Its not a ruby based botnet... Its exploiting a bug in ruby on rails framework. The botnet is a shitty IRC botnet.

Or... (0)

Anonymous Coward | about a year ago | (#43851059)

One reason your web server firewall might want to block IRC connections to arbitrary hosts.

Alternatively, it's also another good reason to not use Rails...

Somebody please help me (2)

fredrated (639554) | about a year ago | (#43851297)

I am being forced to learn RoR as part of my job. Should I shoot myself?

Re:Somebody please help me (0)

Anonymous Coward | about a year ago | (#43851441)

Yes!

Re:Somebody please help me (0)

Anonymous Coward | about a year ago | (#43851519)

Yes! More available job market for me!

Re:Somebody please help me (1)

iluvcapra (782887) | about a year ago | (#43852007)

Don't, you'll go to hell, where you'll be forced to write a data warehousing backend for Satan's business affairs platform, which runs WebObjects.

Re:Somebody please help me (0)

Anonymous Coward | about a year ago | (#43854159)

When did Satan upgrade from COBOL?

Re:Somebody please help me (1)

tibman (623933) | about a year ago | (#43854865)

Oh, cobol is still there. We are interfacing the two systems.

Re:Somebody please help me (1)

iluvcapra (782887) | about a year ago | (#43855781)

The pain is that for compliance reasons we have to row-replicate our "live" records to Santa and the Easter Bunny every month, sometimes more frequently around their rush periods. Fortunately, we did their original database transition in 1973* -- we just use some old JCL scripts someone put together at the time, they still seem to work.

*It's a little known fact that Our Dark and Imperious Prince of Lies actually operated a major consultancy in the 70s. SAP took over most of our clients in the early 80s when we transitioned into the consumer space (you've probably used our toner cartridges). Anyways that's why we did Leo Apotheker such a big favor.

Re:Somebody please help me (0)

Anonymous Coward | about a year ago | (#43854067)

If you hate your job that much, yeah. Otherwise be glad that you're employed in such a shitty market and shut the fuck up.

IRC (0)

Anonymous Coward | about a year ago | (#43851497)

Just block IRC from your network completely. Its main use nowadays seems to be for criminal hacking.

Fines (1)

ThatsNotPudding (1045640) | about a year ago | (#43851961)

At least where they have regulatory authority (USA), the FCC needs to start fining people running servers with blatant security holes that they ignore. A sliding scale based on the percentage of the organizations' income, with real non-profits exempt (except blocked until they patch). This might finally get some folks' attention who think they can setup a server (or hire someone to set it up) but not maintain it as long as they're making money.

Re:Fines (1)

Jawnn (445279) | about a year ago | (#43852517)

That, or require a license, granted on demonstration of suitable proficiency, before being allowed to run _any_ server that is connected to the Internet. Yeah, that'll happen.

Re:Fines (0)

Anonymous Coward | about a year ago | (#43852903)

That, or require a license, granted on demonstration of suitable proficiency, before being allowed to run _any_ server that is connected to the Internet. Yeah, that'll happen.

Oh, right. That'd be great.

Government regulation over who can connect to the internet.

Hell, let's put that wonderful non-partisan IRS in charge.

They'll NEVER abuse their power.....

Firewall (1)

Vrtigo1 (1303147) | about a year ago | (#43854675)

If your webserver firewall allows outbound connections to anything you can't easily provide an explanation for then you need to be sent to a remedial network security course. All our devs hate me because everytime they deploy something to production it inevitably breaks because they didn't submit a request to have the necessary ports opened in the firewall, but I'd rather deal with devs hating me than me hating devs because their insecure apps got us hacked.

Re:Firewall (0)

Anonymous Coward | about 10 months ago | (#43992091)

Once you open a single port for outbound connections, you lose the ability to stop malware from using your server as a base of operations.

Of course, drop all outbound traffic and you are screwed.

Moral: A firewall can not protect you.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...