Seeing Novel Rails Hack Attempts

rubyonrails-talk
1

Hi,

We’re getting some weird exceptions that look like hack attempts, and I’m hoping someone can help us understand them. It looks like an intentionally malformed URL is somehow causing unexpected behavior.

Here’s what we’re seeing. These URLS:

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h.before=b,e=

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h.

https://gadgetco.hiringthing.com/admin/jobs/k(b.onLoad)&&n(a,‘load’,h.onLoad),null==h||‘none’

Will crash our system, and the trace doesn’t include any files from our application (just framework code), trying to load a “Jobs” object that doesn’t exist.

https://gadgetco.hiringthing.com/admin/jobs/somerandomstring

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h

will work correctly, hitting our controller and successfully redirect the user somewhere, and

https://gadgetco.hiringthing.com/admin/jobs/1

will also work correctly, using Job.find(params[:id]) to load a job (note object is Job not Jobs).

Something different is going on between:

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h. (fails)

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h (works correctly)

and I don’t know what. None of the related routes have any fancy regex or anything unusual. Any insight would be appreciated.

Thanks for your help.

Josh

2

Josh, Do you see any quit request types along with this? I see quit requests and it makes the web application complain that it doesn’t know what kind of request that is.

Kent

3

We do get a fair amount of requests to random HTTP verbs and file types, but the system usually handles that just fine (throwing an unknown request exception would be desired behavior.) What concerns me about this is that I’m seeing unexpected behavior, based on the addition of a period in the URL. Something is getting parsed in an usual way somewhere in the stack…

4

We do get a fair amount of requests to random HTTP verbs and file types, but the system usually handles that just fine (throwing an unknown request exception would be desired behavior.) What concerns me about this is that I’m seeing unexpected behavior, based on the addition of a period in the URL. Something is getting parsed in an usual way somewhere in the stack…

So what does happen - you said crash in your original post - does that mean a segmentation fault, exception, something else?

Fred

5

It’s one of two exceptions. Either “RuntimeError: Circular dependency detected while autoloading constant Jobs” or “LoadError: Unable to autoload constant Jobs”. The trace includes no application files (only framework files), and we have no “Jobs” object defined in the system.

We do have a Jobs resource defined in routes for some specific URL behavior, but no Jobs object. It very well could be related to that… the question is why

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,bc(h,b)),h.

Triggers this, and

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,bc(h,b)),h

Does not.

6

To clarify,

https://gadgetco.hiringthing.com/admin/jobs/k(b.onLoad)&&n(a,'load,null==h||‘none’

Crashes with the exception “LoadError: Unable to autoload constant Jobs”, while

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,bc(h,b)),h.before=b,e=

Gives the “RuntimeError: Circular dependency detected while autoloading constant Jobs” exception.

Both traces include on Framework files not Application files. Both of these:

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,bc(h,b)),h

https://gadgetco.hiringthing.com/admin/jobs/somerandomstring

work correctly, hitting our controller and redirecting the user as intended.

7

To clarify,

https://gadgetco.hiringthing.com/admin/jobs/k(b.onLoad)&&n(a,‘load’,h.onLoad),null==h||'none'

Crashes with the exception "LoadError: Unable to autoload constant Jobs", while

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h.before=b,e=

Gives the "RuntimeError: Circular dependency detected while autoloading constant Jobs" exception.

Both traces include on Framework files not Application files. Both of these:

Can you post one of the stack traces?

Colin

8 
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:464:in `load_missing_constant'
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:184:in `const_missing'
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:495:in `load_missing_constant'
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:184:in `const_missing'
activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:228:in `const_get'
activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:228:in `block in constantize'
activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:224:in `each'
activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:224:in `inject'
activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:224:in `constantize'
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:535:in `get'
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:566:in `constantize'
actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:78:in `controller_reference'
actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:68:in `controller'
actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:46:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/journey/router.rb:71:in `block in call'
actionpack (4.0.13.rc1) lib/action_dispatch/journey/router.rb:59:in `each'
actionpack (4.0.13.rc1) lib/action_dispatch/journey/router.rb:59:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:676:in `call'
vendor/gems/rack-p3p/lib/rack-p3p.rb:12:in `call'
rack (1.5.2) lib/rack/etag.rb:23:in `call'
rack (1.5.2) lib/rack/conditionalget.rb:25:in `call'
rack (1.5.2) lib/rack/head.rb:11:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/flash.rb:241:in `call'
rack (1.5.2) lib/rack/session/abstract/id.rb:225:in `context'
rack (1.5.2) lib/rack/session/abstract/id.rb:220:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/cookies.rb:486:in `call'
activerecord (4.0.13.rc1) lib/active_record/query_cache.rb:36:in `call'
activerecord (4.0.13.rc1) lib/active_record/connection_adapters/abstract/connection_pool.rb:626:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
activesupport (4.0.13.rc1) lib/active_support/callbacks.rb:373:in `_run__838384711__call__callbacks'
activesupport (4.0.13.rc1) lib/active_support/callbacks.rb:80:in `run_callbacks'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
rails-dev-tweaks (1.2.0) lib/rails_dev_tweaks/granular_autoload/middleware.rb:36:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/remote_ip.rb:76:in `call'
airbrake (4.1.0) lib/airbrake/rails/middleware.rb:13:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
railties (4.0.13.rc1) lib/rails/rack/logger.rb:38:in `call_app'
railties (4.0.13.rc1) lib/rails/rack/logger.rb:20:in `block in call'
activesupport (4.0.13.rc1) lib/active_support/tagged_logging.rb:68:in `block in tagged'
activesupport (4.0.13.rc1) lib/active_support/tagged_logging.rb:26:in `tagged'
activesupport (4.0.13.rc1) lib/active_support/tagged_logging.rb:68:in `tagged'
railties (4.0.13.rc1) lib/rails/rack/logger.rb:20:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/request_id.rb:21:in `call'
rack (1.5.2) lib/rack/methodoverride.rb:21:in `call'
rack (1.5.2) lib/rack/runtime.rb:17:in `call'
activesupport (4.0.13.rc1) lib/active_support/cache/strategy/local_cache.rb:83:in `call'
rack (1.5.2) lib/rack/lock.rb:17:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/static.rb:84:in `call'
rack (1.5.2) lib/rack/sendfile.rb:112:in `call'
airbrake (4.1.0) lib/airbrake/user_informer.rb:16:in `_call'
airbrake (4.1.0) lib/airbrake/user_informer.rb:12:in `call'
railties (4.0.13.rc1) lib/rails/engine.rb:511:in `call'
railties (4.0.13.rc1) lib/rails/application.rb:97:in `call'
rack (1.5.2) lib/rack/content_length.rb:14:in `call'
thin (1.2.8) lib/thin/connection.rb:84:in `block in pre_process'
thin (1.2.8) lib/thin/connection.rb:82:in `catch'
thin (1.2.8) lib/thin/connection.rb:82:in `pre_process'
thin (1.2.8) lib/thin/connection.rb:57:in `process'
thin (1.2.8) lib/thin/connection.rb:42:in `receive_data'
eventmachine (1.0.3) lib/eventmachine.rb:187:in `run_machine'
eventmachine (1.0.3) lib/eventmachine.rb:187:in `run'
thin (1.2.8) lib/thin/backends/base.rb:61:in `start'
thin (1.2.8) lib/thin/server.rb:159:in `start'
rack (1.5.2) lib/rack/handler/thin.rb:16:in `run'
rack (1.5.2) lib/rack/server.rb:264:in `start'
railties (4.0.13.rc1) lib/rails/commands/server.rb:84:in `start'
railties (4.0.13.rc1) lib/rails/commands.rb:76:in `block in <top (required)>'
railties (4.0.13.rc1) lib/rails/commands.rb:71:in `tap'
railties (4.0.13.rc1) lib/rails/commands.rb:71:in `<top (required)>'
bin/rails:4:in `require'
bin/rails:4:in `<main>'