Sunday, March 4, 2012

Hacking rails/rails repo

So I commited in rails/rails repo

I simply added a <input value=USER_ID name=public_key[user_id]> field to Public key update form, where USER_ID = 4223 (from https://api.github.com/users/rails).

Backend didn't whitelist accessible attributes and had something like this:
@key = PublicKey.find(params[:id])
@key.update_attributes(params[:public_key]) #Oh no! We passed public_key[user_id] of our victim!

Now our victim (Rails) has our public key associated with their account. You can read/write in any public/private repo on github.

Thoughts on this from 2014: 
it was one of my first hacks and I didn't know how to behave. I was angry because nobody wanted to take me and mass-assignment issue seriously. After I did the commit this vulnerability was fixed on github within 1 hour and in rails within 5 hours. This was really effective, many people learned about the bug and fixed it in their apps, but I still regret about this irresponsible disclosure.

57 comments:

  1. Hi, if you reported this to github before using it, could you paste the mail with headers as a blog post? A lot of people think you behaved badly because you didn't report to github first, but I read in a comment that you did.

    ReplyDelete
  2. It was reported with a link to the commit.

    ReplyDelete
  3. Yeah, there's the problem. You reported it via exploiting it AND POSTING WHAT YOU DID IN A PUBLIC MEDIUM. Then, and ONLY then did you report it.

    ReplyDelete
  4. Thank you for nice explanation of the security problem.

    ReplyDelete
  5. intersting it is ? yes

    ReplyDelete
  6. How's your Russian?

    ReplyDelete
  7. Some of you butthurt anons should just stfu, who gives a shit if english isn't his first language or what the dude looks like in his pic. He just exposed a massive hole that GH tried to ignore and made the world pay attention to his findings.

    He should have planted a backdoor in rails and wiped the commit log to pwn all your arrogant pretty boy english speaking asses at his leisure.

    ReplyDelete
  8. Hey,

    Congrats on finding a vulnerability. The truth is, there are more that aren't being addressed. I have known about this one for awhile but not tested it in most recent version of rails. That's not why I am writing you though.

    You are young and passionate about programming - I love that. I have about 10+ years experience on you so let me share one thing I learned early on in my career: Be careful when trying to prove your point in tech. While this backlash may seem tame, if you choose to do something similar with the wrong client, they could make life very unpleasant. Choose your battles very wisely. Sometimes it is better to be a teacher then a hacktivist :)

    Good luck with your career and all the opportunities.

    ReplyDelete
  9. Clap clap clap

    Very smart hack. However, as mh stated, maybe not the best way to expose the vulnerability into public. You may get into serious trouble, maybe not because it is Github, you know.. they might end up hiring you, but you probably wouldnt have the same luck against Microsoft :)

    Cheers

    ReplyDelete
  10. That is cool my friend

    ReplyDelete
  11. Егор ты прям звездой стал на Хакер Ньюз ;)

    ReplyDelete
  12. I love how Rails "hackers" are butthurting furiously. Yeah, people, some clever Russian guy just made you look fucking retarded. Serves you right.

    Now come on, when you criticize Egor's English, please do it in Russian for additional lulz.

    Все правильно сделал, Егор, ты охуенен. Переезжай в Израиль, у нас есть для тебя работа, серьезно :3

    ReplyDelete
  13. Thanks for the explanation. The hack is really clever :-)

    ReplyDelete
  14. Thanks for the details.

    As some others said, there are some things you didn't do the best way (commit master @rails), but the rails core dev team pushed you to do it by ignoring you.

    ReplyDelete
  15. Good work - really disheartened by some of the racist/direspectful comments.

    ReplyDelete
  16. Egor, Thanks for a) finding this and b) reporting it. If anything you have made github a safer place. I don't understand the suspension on behalf of github, You basically helped them save some big headaches and $ in the long run.

    ReplyDelete
  17. wow--nice one. i'm relieved that serious holes like this are occasionally found first by the good guys.

    so my repo is less vulnerable than it was before, so thanks.

    looks to me like you did no more than what was necessary to get the attention of those responsible for fixing it.

    The racist remarks scattered among this comment thread make we want to puke--ignore them.

    ReplyDelete
  18. And precisely what race is Egor?

    Awesome hack, Egor, you did well.

    ReplyDelete
  19. Man, why would they do this: @pk = PublicKey.find(params[:id]) ? Maybe current_account.public_keys.where(id: params[:id]) ? - without proxy - it's another security problem.

    ReplyDelete
  20. Good catch.

    It scares me that bugs like this exist in github. It also scares me that people scold you instead of them.

    Good call for finding it and getting it fixed without any real damage.

    Ignore all the moralfags :)

    ReplyDelete
  21. I'll say a couple things and Egor, I hope you read this.

    You were completely correct and anyone who says otherwise is simply wrong.

    I have been programming since I was 7 years old, which was 1985. I let myself in my first "unlocked door" in a system when I was 11 years old. I put a nice sign up there letting them know I had been there and left without damaging anything. They put a lock on the door afterwards. I'm pretty sure that was the best way to teach them about the problem.

    Hacking is virtuous. Teaching by example is the best way to teach. You can measure your success by the anger it causes.

    Never stop being disruptive.

    With solidarity,
    Napolean

    ReplyDelete
  22. Nice work egor. Quite amazing work for a 19 yo actually. You will go far!

    ReplyDelete
  23. I love Russian guys. Well done in exploting and exposing this bug. It clearly shows why Linus Trovals hates GitHub, lol :)

    ReplyDelete
  24. I do not know Rails or Ruby, but from your description this looks shockingly similar to waht a naive register_globals=on would do for you in PHP. Such 'features' are a shame for any development stack.

    ReplyDelete
  25. You did a nice job. Ignore the frustrated rail hackers (they must be hurting badly ... ouch! )

    ReplyDelete
  26. Very nice, Egor. Way to go!
    Your approach might have been a bit harsh... but it was very effective.

    Thanks for stirring this a bit.

    ReplyDelete
  27. Thank you for nice explanation of the security problem i hate framework and cmq for this reasons

    ReplyDelete
  28. "'Tis no heresy to show a LIBRARY is not secure. We shouldst reconcile our Brother Egor) to the Abbeye of Hub."
    (https://twitter.com/#!/GytOfHub/status/176625686365220864)

    ReplyDelete
  29. Interesting. I “hacked” a yahoo form like that >10 years ago (though I only used a nonexisting “neutral” in the gender field).

    I never though things like that would still be possible today - or that they actually mean that you can not only change some harmless field but actually compromise the whole system.

    Good catch, and thank you for reporting it!

    ReplyDelete
  30. I did a script one evening for a previous employer that showed which attributes on which models weren't whitelisted. They were "too busy" to implement my findings.

    For GitHub to have this issue shows just how far the "cool" loopy juice runs ...

    ReplyDelete
  31. That is why it is safe to host your own sites than rely on someon'es Rails app..

    ReplyDelete
  32. Молодой программист из России уделал крутых перцев из Github.

    По-детски всё это получилось. Надо было настойчивее постить багрепорты и написать отдельно в github о найденной уязвимости, потому-что github != rails.

    Зато теперь проще будет найти работу :) Правда, для работы за пределами России придётся серъёзно заняться языком, потому что он у тебя реально ужасен. Для начал замени плиз все фразы типа 'X got Y' на 'X has Y', глаза болят.

    А вообще удачи.

    ReplyDelete
  33. Power to you. Nice work. This kind of trivial hack (to perform, not to conceive of), done in a manner that isn't harmful, should not be punished. Sometimes it takes this kind of action to prove a point, which you have done brilliantly.

    ReplyDelete
  34. PATRIOTS, WE NEED TO BOMBARD THIS "JUDGE" WITH FAXES. S/he just ruled against the farmers who sued Monsanto. If you can believe it, Monsanto has sued farmers for patent infringement - AND WON! - because some of Monsanto's seeds blew into these farmers' fields and mingled with their produce. These farmers filed a counter-lawsuit against Monsanto. BUT TO A "JEW" THERE'S NO SUCH THING AS A CONFLICT OF INTEREST. NOR IS IT CONSIDERED INJUSTICE TO SCREW A GENTILE IN COURT (Read the "jewish" talmud for confirmation of this fact: http://100777.com/protocols.). "Jewish" "judge" NAOMI BUCHWALD didn't hesitate to rule in favor or her "jewish" comrades at Monsanto where BILL GATES IS A MAJOR STOCKHOLDER. Her kind aren't even hiding it anymore; THEY'RE ACTIVELY PILLAGING THE GOYIM (HUMAN CATTLE - GENTILES) MORE EVERYDAY. Let our judeo-commie government know they're being assailed from every direction, and WILL BE until they pack up and move to their "homeland". Read about this case at: http://tinyurl.com/JewsRuleInFavorOfJews. Then fax this throwback Buchwald at (212) 637-2390.

    DEAN BERRY MINISTRIES: "When a government outlaws 'terrorism', they're planning something for which 'terrorism' is the only recourse."

    ReplyDelete
  35. Update page views numbers please :)

    ReplyDelete
  36. Egor, you make a good job..
    You showed how to be a geek geeks.
    Best regards from Poland.

    ReplyDelete
  37. Respect Egor. You did the right thing and don't listen to stupid guys..

    ReplyDelete
  38. Come on guys, Egor tried to do a good thing, he reported politely on github issues page for rails and got ignored

    ReplyDelete
  39. Nice one. Thanks for making RoR a bit more secure. Someone should really pay you for that.

    ReplyDelete
  40. Awesome hack, in the honorable style of the old MIT hacks. (To all the haters: you guys are losers, respect a brilliant hacker, and don't feel bad that you are stupid and Egor is smart. Just know he will get the chicks, like the guys at facebook ;))

    Seriously, I guess I can see the GitHub side of things, you pretty much made them look like a bunch of fools.

    Laughable how they tried to close the bug a couple times. These guys have their day jobs I guess? Then they can say "woohoo! I closed 1 security bug today, manager is happy, I can go home, where is my raise?"

    For example, here is how you "punt":

    "Rails is not in charge, it is your responsibility to secure your application. It is your responsibility to avoid XSS, to ensure that the user is editing a resource that belongs to him, etc."

    Duoh!

    Best comment by busyloop "Rails is all about conventions. Broken by default is not a good convention."

    FYI: Egor, reconsider your hourly rate. Don't undersell yourself. Why should those chumps at GH be making more money than you? Check around what Rails security experts are charging. Market yourself. Get someone to represent you, i.e. hire on with a security company or create your own.

    ReplyDelete
  41. Nice job fella...

    ReplyDelete
  42. Nice job...and people saying things like "you look like frankestein" or "your english sucks" should consider dying in favor of the humanity

    ReplyDelete
  43. Quote:
    "I love how Rails "hackers" are butthurting furiously. Yeah, people, some clever Russian guy just made you look fucking retarded. Serves you right.

    Now come on, when you criticize Egor's English, please do it in Russian for additional lulz.

    Все правильно сделал, Егор, ты охуенен. Переезжай в Израиль, у нас есть для тебя работа, серьезно :3"

    +1
    I love you Russians :)
    -An American

    ReplyDelete
  44. This comment has been removed by the author.

    ReplyDelete
  45. This is ridiculously simple! It is a shame for github.

    ReplyDelete
  46. @Anonymous
    >Someone should really pay you for that.
    no fuckin penny yet :)

    @Юрий
    шо, так ужасно ?) Интернет сленг меня испортил каюсь

    @osman anything about jobs and positions - drop a line on my email pls

    @ipoval yeah, I think they wrote it your way. No matter how - the problem is next line

    @Опасносте израиль? Там тепло? если да - пиши на почту )

    @Daniel Myasnikov ненужный хайп )

    ReplyDelete
  47. Good hack. To the haters, it could have been much worse - who knows if this has been done before and how many projects might have time bombs hidden in them now. This guy did us all a big favor.

    ReplyDelete
  48. Just wanted to say thanks for this hack. I would be out enjoying a beer after work, but now I have to update ssh keys for several developers.

    ReplyDelete
  49. To all the anon's. If this guy is a brain dead retard, what does that make the people at GitHub and behind Rails for not catching this even when he was telling them, over and over again, that it existed? http://tinyurl.com/7ofdrn3

    P.S. спасибо

    P.P.S. Literally while I was typing this you posted awesome new article based around CSRF attacks, keep it up. :)

    ReplyDelete
  50. Егор красавчик, все прально сделал. Чувак я за твоим блогом слежу, я еще не видел чтоб так часто посты по дыркам обновлялись. Keep the good work!

    ReplyDelete
  51. Even though I am not into codes and all, I just showed it to my programmer friend and he found it to be useful. So thanks a lot.

    Moving To Nyc

    ReplyDelete
  52. Igor, Mr. Putin will be extremely proud of you!

    ReplyDelete
  53. Very useful. This site is referenced in the MVC4 book "Professional ASP.NET MVC 4" on page 174.

    ReplyDelete