RubyGems < 2.6.13 - Arbitrary File Overwrite

EDB-ID: 42611
Author: mame
Published: 2017-09-04
CVE: CVE-2017-0901
Type: Local
Platform: Linux
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

Proof of Concept 1: Create a file anywhere

This PoC attempts to create a file /tmp/malicious-0/BOOOOM.

1) Download the attached file malicious.gem.
2) Run gem install malicious.gem --no-doc.
3) /tmp/malicious-0/BOOOOM should be created.

malicious.gem assigns ../../../../../../../../../../tmp/malicious as name field. This attack is relatively weak since the path must include a directory named <name>-<version>, such as malicious-0. Still, there are many chances that cause a catastrophe. For example, think of replacing a file in /etc/dbus-1/.

Proof of Concept 2: Replace rackup command

This PoC attempts to replace gems/rack-2.0.3/bin/rackup with a malicious file.

1) Download the attached file replace-rackup.gem.
2) Run gem install rack -v 2.0.3.
3) Run gem install replace-rackup.gem --no-doc.
4) Run rackup. It will emit just BOOOOM!.

replace-rackup.gem assigns ../gems/rack as name field, and contains a malicious file bin/rackup. This is really exploitable for attackers.


For how to create the malicious gems, see the attached file src.tar.gz.

Proof of Concept:

Related Posts