Several applications were vulnerable to brute-force attacks; hundreds more could be at risk
UPDATED Poor integration of the Ransack library into Ruby on Rails (RoR) applications could allow attackers to steal information from backend databases, security firm Positive Security has warned.
Ransack allows developers to add object-based search to their Rails applications. Its convenience and flexibility have made it both widely used and problematic, at least from a security perspective.
Traversing objects through search
By default, Ransack supports query conditions for associated objects. For example, if you’re running a query on a page that lists blog posts, you can include conditions about the post’s author through its association with the blog object.
Ransack also supports very useful commands that can be appended to field names to filter the results with operators such as ‘starts with’ or ‘contains’. However, used without guardrails this feature can enable malicious actors to easily traverse domains to reach backend database systems.
For example, an attacker can go from the posts table to the users table and try to guess the password hash of a user. The filtering operators enable the miscreant to speed up the process by guessing the hash value one character at a time. A single bcrypt password hash can be extracted within a few minutes and with less than 2,000 requests, the Positive Security researchers found.
YOU MAY ALSO LIKE Trellix automates tackling open source vulnerabilities at scale
“It is a feature, and the problem is with how web applications use this feature, namely invoking the Ransack search function with unrestricted user input as parameters,” Lukas Euler, managing director at Positive Security, told The Daily Swig. “However, the library documentation explicitly recommends this way of using the library.”
A notice was added to the Ransack documentation recently, warning users that “searching and sorting are authorized on any column of your model”. The warning was added after a public discussion began about this problem on GitHub.
Exploiting Ransack search in the wild
The researchers found hundreds of potentially vulnerable sites by searching for Ransack patterns in URL datasets. Although they could not verify every single candidate, they were able to confirm the vulnerability in dozens of websites.
“A common pattern we used when exploiting the issue was to use a publicly exposed search feature to look for association chains from the searchable data class to sensitive attributes of the application's user class,” Euler said.
Their most alarming finding was the ability to use Ransack to take over administrator accounts. For example, in fablabs.io, a platform for sharing scientific knowledge, Ransack search queries could give access to the superadmin user’s password reset token (which, due to another poor design decision, did not expire and could be reused).
Catch up with the latest secure development news
“Having access to admin user accounts allowed us to conveniently read and manipulate all of the application's private data for two of the Ruby on Rails applications we tested,” Euler said.
Other popular applications that were found vulnerable include CodeOcean, Pageflow, Active Admin, and openSUSE Travel Support Program.
The issue has been remediated in all of these projects apart from, it seems, Active Admin, whose vendor, Tidelift, had apparently failed to respond to Positive security’s emails as of the publication of the latter's research.
However, a Tidelift representative did later respond to our email about the flaw, saying that the maintainer of Ransack is working on an update that will change the default behavior, and is now discussing the issue with the bug reporter.
Other technologies vulnerable
In previous work, the researchers had found similar issues in an application that used Hasura, a GraphQL server platform. They were able to extract admin session tokens through a multi-step association chain across different objects.
“Libraries and frameworks generally evolve over time to add more and more features that are often enabled by default, while also trying to keep the integration and usage for simple use cases easy for developers,” Euler said. “As a result, developers often inadvertently integrate many more additional features and attack surface than they expect.”
The lesson, Euler says, is to always research the full feature range of the libraries and frameworks you're using and take steps to minimize your attack surface by disabling anything you don't need.
“This is not exclusive to Ruby on Rails, but RoR might be even more prone to issues like this than other frameworks due to its emphasis on ‘Convention over Configuration’ and making powerful features available behind simple API interfaces,” Euler said.
This article was updated on February 1 with a comment from Tidelift regarding remediation for the security issue affecting Ransack and Active Admin.
YOU MAY ALSO LIKE RubyGems trials 2FA-by-default in code repo’s latest security effort