Hackers Put a Backdoor in a Ruby Password Strength Checking Library

A Backdoor in a Ruby Password Checking Library

Password strength meters were created for all the best reasons. Their idea is to alert people to the danger of weak passwords and to encourage them to better protect their data. Unfortunately, they are not perfect.

In essence, a password strength meter is a collection of computer code, and no matter how clever it is, it can never take into account every single one of the factors that determine the strength of a password. The fact that password strength meters consist of computer commands creates another problem – if the code gets tampered with, the meters could become dangerous. Last week, Argentinian developer Tute Costa showed us how real this scenario could be.

A regular security audit reveals a hijacked Ruby library

Being a diligent developer, Costa was in the middle of auditing a Ruby application he was working on. He had recently applied quite a few updates, and he wanted to confirm that everything was working as expected.

This meant going through quite a few changelogs and scanning through hundreds of lines of code. Eventually, he ended up looking at strong_password – a Ruby library designed to check the strength of users' passwords. He was immediately intrigued.

strong_password was available both on RubyGems, the official repository for Ruby libraries, and on GitHub, yet the versions were different. GitHub suggested that there had been no updates for more than six months, but the version on RubyGems (0.0.7) was no more than a couple of days old. Costa couldn't find any changelogs or other official documentation which meant that the only way to proceed was to download the code from GitHub and compare it to what RubyGems was hosting.

The two libraries were identical except for a few lines of code which pulled and executed some commands from Pastebin. Costa was getting suspicious, and he decided to get in touch with Brian McManus, strong_password's developer, to see what he'll say. The reply came fifteen minutes later, and it confirmed Costa's worst fears – McManus had somehow lost control of the library, and the 0.0.7 version was rogue.

A backdoor used cookies to enable code execution

The malicious strong_password version would first check the environment it's running on. If the application is still in the testing phase, it would do nothing. If it's in production, however, it would trigger the infection chain which would eventually allow remote code execution.

The backdoored library checks the URL of the website or web application and sends it to smiley.zzz.com[.]ua. Then, it waits for instructions which come in the form of cookie files. The malicious code is designed to unpack and execute whatever is in the cookie, which means that the doors for the criminal who hijacked the strong_password library were wide open. Thankfully, they no longer are.

The malicious library was pulled offline fairly quickly

The backdoored strong_password was published on June 25, and Tute Costa discovered it on June 28. Shortly after getting a confirmation that the update is malicious, he got through to Rafael França, Ruby's security coordinator, and within less than half an hour, the library was pulled offline. Brian McManus seems to be back in control, and version 0.0.8 should be safe to use. The Pastebin repository that initiated the infection chain is also down now meaning that the backdoor is well and truly closed.

Although the malicious library stood online for no more than a few days, it still managed to rack up a downloads count of 537, however, which goes to show how quickly rogue software can affect unsuspecting users.

July 9, 2019

Leave a Reply