Ruby on Rails Action Pack framework insecurely typecasts YAML and Symbol XML parameters

Overview

The Ruby on Rails Action Pack framework is susceptible to authentication bypass, SQL injection, arbitrary code execution, or denial of service.

Description

The Ruby on Rails advisory states:

"Multiple vulnerabilities in parameter parsing in Action Pack

There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.

Versions Affected: ALL versions
Not affected: NONE
Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15

Impact
------
The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds immediately.

Releases
--------
The 3.2.11, 3.1.10, 3.0.19 and 2.3.15 releases are available at the normal locations."

Additional details are available in the full advisory. Exploit code for this vulnerability is publicly available.

---

Impact

A Ruby on Rails application that uses Action Pack is susceptible to authentication bypass, SQL injection, arbitrary code execution or denial of service.

---

Solution

Apply an Update

Versions 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released to address this vulnerability.

---

The Ruby on Rails advisory states the following workarounds:

Workarounds
-----------
The work arounds differ depending on the Rails version you are using, and whether or not your application needs to support XML Parameters.

Disabling XML Entirely
----------------------
Users who don’t need to support XML parameters should disable XML parsing entirely by placing one of the following snippets inside an application initializer.

Rails 3.2, 3.1 and 3.0
----------------------
ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)

Rails 2.3
---------
ActionController::Base.param_parsers.delete(Mime::XML)

Removing YAML and Symbol support from the XML parser
----------------------------------------------------
If your application must continue to parse XML you must disable the YAML and Symbol type conversion from the Rails XML parser. You should place one of the following code snippets in an application initializer to ensure your application isn’t vulnerable. You should also consider greatly reducing the value of REXML::Document.entity_expansion_limit to limit the risk of entity explosion attacks.

YAML Parameter Parsing
----------------------
Rails has also shipped with YAML parameter parsing code, this was only ever enabled by default in Rails 1.1.0, but users who do enable it are vulnerable to all the exploits mentioned above… There is no fix for YAML object injection, so if you have enabled it you must disable it immediately.

For 2.x apps, check whether your app sets ActionController::Base.param_parsers[Mime::YAML] = :yaml and snip that out if it does.

For 3.x apps do this to disable:

_ ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::YAML)_

Rails 3.2, 3.1, 3.0
---------
ActiveSupport::XmlMini::PARSING.delete(“symbol”)
ActiveSupport::XmlMini::PARSING.delete(“yaml”)

Rails 2.3
---------
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete(‘symbol’)
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete(‘yaml’)

---

Vendor Information

380039

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Ruby on Rails Affected

Updated: January 11, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ&gt;

CVSS Metrics

Group	Score	Vector
Base	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	8.7	E:H/RL:OF/RC:C
Environmental	8.7	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

• <https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion&gt;
• <http://api.rubyonrails.org/files/actionpack/README_rdoc.html&gt;
• <http://www.insinuator.net/2013/01/rails-yaml/&gt;
• <https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156&gt;

Acknowledgements

This vulnerability was reported to the Ruby on Rails security team by Ben Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville.

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2013-0156
Date Public:	2013-01-08 Date First Published: