Developers who have not updated their Ruby on Rails installations with a five-month-old security patch would do well to secure the Web development framework now. Exploit code has surfaced for CVE-2013-0156 that is being used to build a botnet of compromised servers.
Exploit code has been publicly available since the vulnerability was disclosed in January on Github and Metasploit, yet the vulnerability had not been exploited on a large scale until now, said security researcher Jeff Jarmoc.
“I don’t have much evidence as to what the actor may be doing with their compromised machines,” Jarmoc told Threatpost via email. “It seems possible this could be used as a DDoS botnet, but there’s no real evidence from what I’ve seen that supports any particular goal beyond compromising vulnerable hosts.”
Jarmoc wrote on his personal blog that he found three command and control servers, all of which are down at the moment. The domains previously have been used to host Trojans and other malware targeting compromised machines.
The exploits set up an IRC chat relay bot that connects to 188[.]190[.]124[.]81 and joins a channel called #rails. The code is configured to execute only once on an infected host.
“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers,” Jarmoc wrote on his blog. “There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.”
A patch for the Ruby on Rails framework was delivered on Jan. 8 and users were urged to upgrade to versions 3.2.11, 3.1.10, 3.0.19 or 2.3.15, all of which are no longer vulnerable. The advisory issued in January said the vulnerability allows attackers to bypass authentication systems, inject SQL commands, inject and execute code or crash a Rails application.
Despite the five-month window between the patch and the availability of exploit code, clearly a significant number of Rails frameworks remain unpatched. Jarmoc speculates that some organizations may not realize they are running vulnerable installations, in spite of security advisories and press on the matter.
“It’s not particularly hard to update Rails, but as with any update there’s a possibility of unintended effects on applications. This alone can cause hesitation in some cases,” Jarmoc said. “There’s a small amount of downtime needed to patch, but downtime-sensitive environments can rely on load balancing, redundant servers, etc. to mitigate that.”
Metasploit creator HD Moore told Threatpost at the time that the vulnerability is likely the worst security issue to affect the framework.
“Given the deployed base of Rails, even a small percentage success rate is likely to compromise a significant number of servers,” Jarmoc said.