Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RubyGems 0.9.0 and earlier installation exploit

from [Eric Hodel] Network Security [Permanent Link]
Subject: RubyGems 0.9.0 and earlier installation exploit
Date: Sun, 21 Jan 2007 01:16:48 -0800 
Background:

RubyGems is the typical packaging tool for ruby packages.

RubyGems home page:

http://rubygems.org/

Ruby home page:

http://ruby-lang.org

Problem Description:

RubyGems does not check installation paths for gems before writing files.

Impact:

Since RubyGems packages are typically installed using root permissions, arbitrary files may be overwritten on-disk. This may lead to denial of service, privilege escalation or remote compromise.

Workaround:

No known workarounds

Solution:

a) Upgrade to RubyGems 0.9.1

b) Apply one of the following patches

For RubyGems 0.9.0:


Attachment: installer.rb.extract_files.REL_0_9_0.patch
Description: Binary data


For RubyGems 0.8.11:


Attachment: installer.rb.extract_files.REL_0_8_11.patch
Description: Binary data


MD5 (installer.rb.extract_files.REL_0_8_11.patch) = 31e3bacd1821de0272864c153b7c0dca
MD5 (installer.rb.extract_files.REL_0_9_0.patch) = bed4fcdd438a7d8b81cf72e1ffe48a7d

Patches may also be downloaded here:

http://rubyforge.org/frs/shownotes.php?group_id=126&release_id=9074

Note:

Remote installations via Rubyforge will be disabled in the near future for versions of RubyGems earlier than 0.9.1, even for patched versions of RubyGems. Local installations will continue to work, however.

Thanks to Gavin Sinclair for finding and reporting this problem.

Testing your updated RubyGems:

Installing rspec-0.7.5 will give an InstallError on a patched version of RubyGems:

$ gem install rspec --version 0.7.5
ERROR: While executing gem ... (Gem::InstallError)
attempt to install file into "../web_spec/ web_test_html_formatter.rb"

An updated rspec (0.7.5.1) has already been released.

--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RubyGems 0.9.0 and earlier installation exploit, Eric Hodel <=
Previous by Date:  Re: ZixForum <= 1.14 (Zixforum.mdb) Remote Password Disclosure Vulnerability, anonym
Next by Date:  Medium Risk Vulnerability in PGP Desktop, NGSSoftware Insight Security Research
Previous by Thread:  Omniture SiteCatalyst Multiple Cross-Site Scripting Vulnerabilities, DoZ
Next by Thread:  Medium Risk Vulnerability in PGP Desktop, NGSSoftware Insight Security Research
Indexes:  [Date] [Thread] [Top] [All Lists]