Seems we can include any escape sequence in the “summary” field of gemspec. This allows attackers to inject escape sequences to a victim’s terminal emulator.
gem search attackers-gem -d
, and the malicious string is printed in the terminal emulator.In general, this is considered vulnerable. I’d like you to read Terminal Emulator Security Issues in detail. In short, an attacker can exploit this, not only to surprise a victim with a rainbow string, but also to inject malicious command to a victim’s terminal, which may lead to abitrary code execution. Ruby WEBrick also handled a similar issue as a vulnerability.
Gem::Specification.new do |spec|
spec.name = "escape-sequence-injection-vulnerability"
spec.version = "0.0.1"
spec.authors = ["Yusuke Endoh"]
spec.email = ["[email protected]"]
spec.summary = "foo\e[31mbar\e[0mbaz \e]2;BOOM!\a"
spec.homepage = "http://example.com/"
spec.license = "MIT"
end
gem build escape-sequence-injection-vulnerability.gemspec
gem install escape-sequence-injection-vulnerability-0.0.1.gem
gem query escape-sequence-injection-vulnerability -d && sleep 10
You will see a summary line “foobarbaz” (with “bar” red), and its window title changed “BOOM!”.