talkgroup

Malicious remote code execution backdoor discovered in the popular bootstrap-sass Ruby gem

Tags: #<Tag:0x00007f736892c830> #<Tag:0x00007f736892c6f0>

https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/

Yikes!

1 Like

wow that sucks.

1 Like

Undid the trailing ellipsis in the title so people could know the vulnerable package without clicking through…

2 Likes

The backdoor was wisely hidden in the 3.2.0.3 version that was only published to RubyGems and no source of the malicious version existed on the GitHub repository and allowed remote attackers to dynamically execute code on servers hosting the vulnerable versions.

So, uh, this single line completely undermines the use of these repos, ne?

I think of it practically, I’d much rather pin something to a repo than a keyword.

gem install https://allthe.codes/interi/lib is better than gem install interi.

I’ve always done this and got made fun of a couple of times when sharing code, but I personally want to know where my code is coming from, and I didn’t understand how these repos are accountable. I still believe I’m just acting out my paranoid delusions, so you know how surprised I am to read that.

The bootstrap-sass package is very popular and the malicious backdoor potentially affects a large set of users. The package’s GitHub repository has been starred more than 12,000 times, and features over 27 million downloads in total. The current version, 3.4.1, has over 217,000 downloads.

A quick analysis shows roughly 1,670 GitHub repositories that may have been exposed to the malicious library through direct use. This number will increase significantly when counting its usage in applications as a transitive dependency.

Emphasis mine.

On March 26th, version 3.2.0.3 was published by malicious actors. The version includes hides a backdoor in a new file, lib/active-controller/middleware.rb . The backdoor taps into another Ruby module and modifies it so that specific cookies that are sent by the client will be Base64 decoded and then evaluated in runtime, to effectively allow remote code execution.

Oh, that’s hot! What a mindfuck, huh?

  • Cool, I can integrate this winter snowflake javascript library into Bootstrap!
  • Hands cookies over.

Wow they caught it pretty quickly. This appears to be the rca https://github.com/twbs/bootstrap-sass/issues/1195#issuecomment-479884504

2 Likes