In a previous blog post, I outlined some ModSecurity defenses to help protect Ruby on Rails users from the XML parsing vulnerabilities. Hopefully you have had a chance to update RoR for your site. If not, you might want to stop what you are doing and fix it now... We identified a few attack probes on our WASC Distributed Web Honeypot Project sensors recently looking for this vuln.
Initial String Testing:
The attacker is sending a sample testing string value of "hello".
Testing for YAML parsing vulnerabilities 1:
Attacker then sends the YAML payload with some ruby exploit code however the object is incomplete.
Testing for YAML parsing vulnerabilities 2:
In this final payload, the attacker sends the YAML payload with the ruby code to execute the local time.
Nmap NSE Script
A quick search for those attack payloads turned up a new Nmap NSE script on GitHub called http-rails-xml-parser.nse:
So we have our tool identified. This script doesn't exploit the vulnerabilty but does identify vulnerable hosts. Bottom line is that scripts/tools are out there now and actively scanning the web-o-sphere for vulnerable sites. Better patch/upgrade ASAP....