Skip to content

Instantly share code, notes, and snippets.

@arkadiyt
Created August 30, 2017 03:24
Show Gist options
  • Save arkadiyt/e6e281b7cef4ff01d2c1c5f3b802c25b to your computer and use it in GitHub Desktop.
Save arkadiyt/e6e281b7cef4ff01d2c1c5f3b802c25b to your computer and use it in GitHub Desktop.
Rubygems vulnerability writeup

Rubygems blog post: http://blog.rubygems.org/2017/08/27/2.6.13-released.html

Ruby-lang blog post: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/

1) "a DNS request hijacking vulnerability"

Description:

Rubygems supports a gem server discovery mechanism, where if you set your gem source as https://example.com, the gem client will do a SRV dns lookup on _rubygems._tcp.example.com to determine where it should send requests to. A MITM can intercept that dns request and return whatever server they want, forcing the gem client to download code from a malicious server.

Fix (8d91516fb):

Now the returned DNS record must be for a subdomain of the gem source (in this case it must point to a subdomain of example.com).

2) "a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files"

Description:

Gem content could be unpacked into arbitrary file locations by setting the gem name to include file traversal characters like ../.

Fix (44cc27cd, ad5c0a53):

Now gem names can only contain letters, numbers, underscore (_), dash (-), and dot (.) characters.

3) "an ANSI escape sequence vulnerability"

Description:

Text specified in a gemspec can be output on installation or displayed when showing information about the gem. Gem authors can inject terminal escape sequences into (for instance) the authors field of the gem, and this will mess with end users' terminals.

Fix (ef0aa611):

Now ANSI control characters are scrubbed out of text fields.

4) "a DoS vulernerability in the query command"

Description:

If someone provided an extremely large gem summary, rubygems would hang trying to process it.

Fix (8a38a4fc):

Now the summary is truncated to 100,000 characters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment