Bug 889649 (CVE-2012-5664, CVE-2012-6496) - CVE-2012-6496 rubygem-activerecord: find_by_* SQL Injection
Summary: CVE-2012-6496 rubygem-activerecord: find_by_* SQL Injection
Status: CLOSED ERRATA
Alias: CVE-2012-5664, CVE-2012-6496
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20121221,repor...
Keywords: Security
Depends On: 891468 891469 891470 891471 891472 891473 893771 995682
Blocks: 872346 889650 892883
TreeView+ depends on / blocked
 
Reported: 2012-12-22 07:43 UTC by Kurt Seifried
Modified: 2015-08-21 21:17 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-24 23:05:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
CVE-2012-5664-2-3-dynamic_finder_injection.patch (2.04 KB, patch)
2013-01-03 20:24 UTC, Kurt Seifried
no flags Details | Diff
CVE-2012-5664-3-0-dynamic_finder_injection.patch (2.15 KB, patch)
2013-01-03 20:24 UTC, Kurt Seifried
no flags Details | Diff
CVE-2012-5664-3-1-dynamic_finder_injection.patch (2.10 KB, patch)
2013-01-03 20:24 UTC, Kurt Seifried
no flags Details | Diff
CVE-2012-5664-3-2-dynamic_finder_injection.patch (2.10 KB, patch)
2013-01-03 20:25 UTC, Kurt Seifried
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0154 normal SHIPPED_LIVE Critical: Ruby on Rails security update 2013-01-11 01:38:55 UTC
Red Hat Product Errata RHSA-2013:0155 normal SHIPPED_LIVE Critical: Ruby on Rails security update 2013-01-11 03:40:25 UTC
Red Hat Product Errata RHSA-2013:0220 normal SHIPPED_LIVE Important: Red Hat OpenShift Enterprise 1.1 update 2013-02-01 01:23:24 UTC

Description Kurt Seifried 2012-12-22 07:43:27 UTC
This issue was found on the Phenoelit Blog:

An authlogic cookie usually uses a database stored token to identify the user. The relevant parts of the session cookie are:

    user_credentials_id - a numeric value which is used with "User.find_by_id()"
    user_credentials - a radom string which will be compared with the database field "persistence_token" in the Users table

Due to the way the RoR "find_by_*" methods are defined the following SQL injection a-like issue arises:

> User.find_by_id({:select =>"* from users limit 1 --"})
  User Load (0.5ms)  SELECT * from users limit 1 -- FROM "users" WHERE "users"."id" IS NULL LIMIT 1
 => #<User id: 1, [... all the fun stuff]

By knowing this behaviour we can now easily circumvent the authlogic protection with the knowledge of the "secret_token".
The following cookie would give you access to an authlogic protected application:

{ 
  "session_id" => "41414141", 
  "user_credentials"=>"Phenoelit",
  "user_credentials_id"=>{ 
    :select=> " *,\"Phenoelit\" as persistence_token from Users -- "
  }
}

Last man standing would then be devise/warden, which works similar to authlogic but is not exploitable in that way described above.

External references:

http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html

Comment 2 Kurt Seifried 2013-01-03 03:26:00 UTC
Aaron Patterson reports:

https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM

SQL Injection Vulnerability in Ruby on Rails

There is a SQL injection vulnerability in Active Record in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-5664.

Versions Affected:  All.
Not affected:       NONE.
Fixed Versions:     3.2.10, 3.1.9, 3.0.18

Impact
------
Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope.  Carefully crafted requests can use the scope to inject arbitrary SQL.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Impacted code passes user provided data to a dynamic finder like this:

  Post.find_by_id(params[:id])

Releases
--------
The  3.2.10, 3.1.9 & 3.0.18 releases are available at the normal locations.

Workarounds
-----------
The issue can be mitigated by explicitly converting the parameter to an expected value.  For example, change this:

  Post.find_by_id(params[:id])

to this:

  Post.find_by_id(params[:id].to_s)

Comment 3 Kurt Seifried 2013-01-03 03:28:24 UTC
Created rubygem-rails tracking bugs for this issue

Affects: epel-5 [bug 891468]

Comment 4 Kurt Seifried 2013-01-03 03:29:59 UTC
Created rubygem-rails tracking bugs for this issue

Affects: fedora-all [bug 891469]

Comment 9 Mamoru TASAKA 2013-01-03 07:21:25 UTC
Patches available:
http://seclists.org/oss-sec/2013/q1/3

Comment 10 Kurt Seifried 2013-01-03 20:24:16 UTC
Created attachment 672189 [details]
CVE-2012-5664-2-3-dynamic_finder_injection.patch

Comment 11 Kurt Seifried 2013-01-03 20:24:34 UTC
Created attachment 672190 [details]
CVE-2012-5664-3-0-dynamic_finder_injection.patch

Comment 12 Kurt Seifried 2013-01-03 20:24:52 UTC
Created attachment 672191 [details]
CVE-2012-5664-3-1-dynamic_finder_injection.patch

Comment 13 Kurt Seifried 2013-01-03 20:25:08 UTC
Created attachment 672192 [details]
CVE-2012-5664-3-2-dynamic_finder_injection.patch

Comment 14 Vít Ondruch 2013-01-03 20:33:56 UTC
This is nice explanation of how to exploit this vulnerability: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/

Comment 15 Vincent Danen 2013-01-04 02:29:45 UTC
This has been split into two CVEs:

CVE-2012-6496 (SQL injection)
CVE-2012-6497 (Authlogic unsafe find_by_id method calls)

CVE-2012-5664 has been REJECTED, as per:

http://openwall.com/lists/oss-security/2013/01/03/12


Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6496 to
the following vulnerability:

Name: CVE-2012-6496
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6496
Assigned: 20130103
Reference: https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain
Reference: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=889649

SQL injection vulnerability in the Active Record component in Ruby on
Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10
allows remote attackers to execute arbitrary SQL commands via a
crafted request that leverages incorrect behavior of dynamic finders
in applications that can use unexpected data types in certain find_by_
method calls.

Comment 16 Vincent Danen 2013-01-04 02:39:21 UTC
See bug #891794 for CVE-2012-6497.

Comment 17 errata-xmlrpc 2013-01-10 20:42:40 UTC
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.1

Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html

Comment 18 errata-xmlrpc 2013-01-10 22:41:34 UTC
This issue has been addressed in following products:

  CloudForms for RHEL 6

Via RHSA-2013:0155 https://rhn.redhat.com/errata/RHSA-2013-0155.html

Comment 19 Fedora Update System 2013-01-15 02:22:22 UTC
rubygem-activerecord-3.0.10-4.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2013-01-15 02:31:28 UTC
rubygem-activerecord-3.0.11-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2013-01-15 02:31:51 UTC
rubygem-activerecord-3.2.8-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 errata-xmlrpc 2013-01-31 20:34:02 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0220 https://rhn.redhat.com/errata/RHSA-2013-0220.html

Comment 23 errata-xmlrpc 2013-02-21 19:21:07 UTC
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0544 https://rhn.redhat.com/errata/RHSA-2013-0544.html

Comment 24 Kurt Seifried 2013-07-26 06:22:23 UTC
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.

Comment 26 Kurt Seifried 2015-08-20 15:19:38 UTC
this was closed:errata because we released errata to fix it.


Note You need to log in before you can comment on or make changes to this bug.