The Ruby library is ubiquitous, it is everywhere, as proven by the number of loyal developers it attracted to the platform for decades. With the availability of its library for various operating systems, it is one of the most cross-compatible programming languages today which is highly underrated. However, recently, the use of Ruby needs to be done with caution as the bug which affects the strong_password library it comes with by default. The attackers were detected of using Pastebin.com as a repository of a secondary payload, which will be downloaded by the first payload. The attacker’s sophisticated attack against RubyGems give them the capability to actually detect what kind of system is infected, a test environment or a production-level system.
The attackers also use the website smiley.zzz.com.ua as a command and control domain, with the Ruby bug the perpetrators can execute arbitrary code using the library. This mechanism was first discovered by Tute Costa, a security researcher and posted his findings in his official blog site. “Couldn’t find the changes for strong_password. It appeared to have gone from 0.0.6 to 0.0.7, and we were up to date with those. If there was a new code, it existed only in RubyGems.org. I checked who published it and it was an almost empty account, with a different name than the maintainer’s, with access only to this gem. I checked the maintainer’s email in GitHub and wrote to him with the prettified version of the diff,” explained Costa.
This is confirmed by his colleague, Brian McManus who commented: “The gem seems to have been pulled out from under me… When I login to rubygems.org I don’t seem to have ownership now. Bogus 0.0.7 release was created 6/25/2019.” In view of a Pastebin page being involved with the infection scenario against a Ruby library computer, it seems that the malicious content it had was only made available until June 28 8PM UTC. During that period, injection of middleware to cookies was possible, creating a hijacking capability for the attacker, where they can easily execute whatever code they wish for.
RubyGems security acted on the issue, as their team from email@example.com were able to takedown the offending bug that causes the capability for remote code execution. System administrators are strongly encouraged to check their respective Ruby library installation, check for the existence of version 0.0.7 of the strong_password sublibrary, it was the version that was used for attacks.
“I asked for a CVE identifier (Common Vulnerabilities and Exposures) to firstname.lastname@example.org, and they assigned CVE-2019-13354, which I used to announce the potential issue in production installations to the rubysec/ruby-advisory-db project and the ruby-security-ann Google Group,” concluded Costa.
As of this writing version 0.0.7 was already removed for download, it gathered 537 downloads during the period of infiltration. A newer version with clean code is 0.0.8, details of which can be seen from the official page of RubyGems.