“There was a vulnerability with RubyGems.org which allowed someone to execute code on the server,” a Ruby programmer I talked to said. “RubyGems is a big target, because if you could break in and change a Rails gem, you could gain access to a lot of servers.”
Popular sites such as Twitter, Groupon, AirBnB, and Hulu are built using Ruby on Rails, a popular framework built in the Ruby programming language. Ruby gems are packages of code that allow developers to distribute programs or libraries, and RubyGems.org is the central means the Ruby community has to publish and distribute those gems. Essentially, if a black hat hacker can corrupt those gems, he or she could potentially gain control of thousands, if not millions of sites around the world that run Ruby on Rails.
The exploit itself
“RubyGems is a critical part of the Ruby infrastructure,” the programmer said. “Everything depends on RubyGems.”
RubyGems explained the situation this way in a Google doc that site administrators set up for status updates:
A user uploaded a malicious gem that contained a malicious gem manifest (YAML file). The manifest contained embedded Ruby with this payload. This is the only known incident involving this vulnerability, but the vulnerability involved is a remote code execution exploit, so the usual rules apply.
The Ruby programmer that I talked to, who did not want to be identified since he works with some of the key engineers at RubyGems and Heroku, said that the infected gem was executed by the server, and then “emailed the database configuration details, including passwords to a paste-it note on Pastie.org.”
As soon as Heroku became aware of the issue this morning, site administrators disabled access to site update and publishing services:
Ruby deploys have been temporarily disabled to protect our users from malicious gems. We will have more information available shortly, including a workaround for those who wish to deploy anyway.
Based on the information currently available, it doesn’t appear to have been an especially malicious attack, but rather a fairly strenuous way of informing the RubyGems organization that they had a vulnerability. The infected gem was called “exploit,” a pretty clear signal that the author or authors were not trying to slip something in un-noticed, and “they could have done more,” my source said.
Currently RubyGems is verifying all files by comparing them for differences with older version before re-enabling all access to functionality. The last update as of 7:30 PM PST is that the services classic API is up, as well as its V1 API, but its web application and Dependency API are still down.
Comments are disabled on this post