Researchers uncovered a critical security vulnerability in Rails applications that leverages the Bootsnap caching library. This exploit allows attackers to achieve remote code execution (RCE) by exploiting an arbitrary file write vulnerability.
The issue is particularly concerning as Bootsnap has been a default component in Rails since version 5.2.
Understanding The Vulnerability
The vulnerability stems from a standard arbitrary file write flaw. Below is an example of vulnerable code:
According to the Conviso Research Team, in this scenario, users can control both the file path and content. This allows malicious actors to write files to arbitrary locations on the server, potentially leading to RCE.
Despite the exploit’s potential, certain restrictions make its execution non-trivial. Rails production environments often use Docker containers with limited writable directories such as /tmp, db, and log.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
However, these limitations can be bypassed by targeting specific writable directories, such as tmp/cache/bootsnap.
Bootsnap Cache Exploitation
Bootsnap optimizes Rails applications by caching expensive computations. Its cache files are stored in tmp/cache/bootsnap and include compiled Ruby files. These files follow a specific structure consisting of a header (cache key) and the compiled content.
By overwriting a cache file with malicious Ruby code and triggering its execution during application startup, attackers can achieve RCE. An overview of the exploitation process is as follows:
- Identify Target File: Select a file likely to be executed during application startup (e.g., set.rb from Ruby’s standard library).
- Generate Malicious Cache: Create a cache key using Bootsnap’s hashing mechanism. Embed malicious Ruby code into the cache file.
- Write Malicious Cache: Use the arbitrary file write vulnerability to overwrite the target cache file.
- Restart Application: Trigger a server restart by writing to tmp/restart.txt, leveraging Puma’s restart functionality.
- Execute Malicious Code: During the restart, the application loads the malicious cache file, executing the attacker’s payload.
Mitigation Strategies
- Restrict Writable Directories: Limit writable paths in production environments.
- Validate User Input: Sanitize filenames and paths to prevent directory traversal attacks.
- Monitor Cache Files: Regularly inspect Bootsnap cache directories for unauthorized changes.
- Update Dependencies: Ensure Bootsnap and Rails are updated to their latest versions with security patches.
This vulnerability highlights the risks associated with arbitrary file write flaws in web applications. By abusing Bootsnap’s caching mechanism, attackers can escalate privileges to achieve RCE.
Developers should adopt stringent security practices, including input validation and dependency management, to mitigate such threats effectively.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar