HD Moore, the creator of the popular Metasploit penetration testing framework, has rushed out a critical security update following reports of serious vulnerabilities in Ruby on Rails, the Web application framework used to build the popular attack tool and thousands of other Web applications.
Moore, who serves as CSO of Boston-based vulnerability management vendor Rapid7, said his team produced a security update for Metasploit users and started an analysis of the threat to determine the extent of the coding errors. The Metasploit Framework is a popular tool for white hat penetration testers. It adds working exploits for many of the latest vulnerabilities in popular applications and is also known for being used by cybercriminals.
"These kinds of bugs are close to my heart," Moore wrote in a blog entry early Wednesday morning. "Metasploit itself is written in Ruby, and we use Ruby on Rails within the Metasploit Community, Express, and Pro user interfaces."
Called an XML parameter vulnerability, Rails contains a serious error that makes it mishandle formatted parameters, according to security researcher Felix Wilhelm, who conducted an analysis of the Rails flaw. Wilhelm called the bug "highly critical in all Rails applications that do not disable parsing of XML formatted parameters" and urged administrators to apply the patch.
Moore said in his blog post that Metasploit modules would be produced to target the coding errors. Ruby on Rails has been used to build thousands of Web applications including Twitter, Groupon, Hulu and Yellow Pages. It is seen as an alternative to Java, enabling developers to rapidly build rich Web applications.
The team overseeing development of the Web application framework issued a Rails advisory and update, giving administrators the option to apply the update or enable workarounds if applying the patch is not immediately possible. The team said the development framework contains multiple weaknesses that enable an attacker to execute malicious code on an application or cause an application built with Rails to crash.
The United States Computer Emergency Readiness Team (US-CERT) issued an advisory, warning about the coding errors and urging administrators to apply the patch. It is the second time in two weeks that the framework has come under fire for containing a vulnerability. Last week a SQL injection flaw surfaced, exposing vulnerable Rails applications.
PUBLISHED JAN. 9, 2013