Hacker News new | comments | show | ask | jobs | submit login

The exploit was written by @postmodern_mod3: https://twitter.com/judofyr/status/296649167189725184

Edit: At least a PoC. How someone other than him (since hes denying compromising rubygems) found his PoC and wrote the actual payload and pushed the exploit gem is unclear.

Short timeline:

- 1 week ago: blambeau reported the issue to the rubygems people: https://github.com/tenderlove/psych/issues/119#issuecomment-...

- Postmodern wrote a PoC - https://gist.github.com/4674219

- Postmodern: "I posted it in a private chat room. Guess someone took it for a ride." - https://twitter.com/postmodern_mod3/status/29665192240284057...

- A gem called `exploit-36.44.16` was pushed to RubyGems. This contains a payload that only sends `uname -r` to pastie.

- A gem called `exploit-22.31.31` was pushed to RubyGems. This contains a payload that posted the config/database.yml to pastie. This gem was removed by the rubygems admins when they discovered it - http://news.ycombinator.com/item?id=5140109 & https://gist.github.com/d891e876c53e55bf0920 (that's the payload)

Other exploit-gems that was pushed (but we don't know what did):

- 16.17.49 - https://twitter.com/rubygems/status/296618422702309377

- 20.22.1 - https://twitter.com/rubygems/status/296617610622144512

- 12.5.4 - https://twitter.com/rubygems/status/296540884781109248

- 7.27.42 - https://twitter.com/rubygems/status/296537952320884736

My conclusion based on the current facts:

1 week is too long for such a severe security issue. A proof-of-concept gem seems to be a logical step to "force" rubygems.org to fix this issue. However, publishing database.yml on pastie is TOTALLY 100% NOT COOL, and turns this from "whitehat who wants to help" to "blackhat that wants to destroy (or doesn't understand social norms)".

> However, publishing database.yml on pastie is TOTALLY 100% NOT COOL ...

This whole thing is a joke, from the ridiculously unsafe YAML parser to the response of the RubyGems people.

If these are your community social norms, then you quite simply deserve the resulting shake-up. This is how you become inoculated against such incredibly poor engineering practices.

I don't quite get what you're trying to say. What "community social norms"? Are you talking about how rubygems.org handled this vulnerability from the beginning? How the community handled this incident after it happened?

And what does it have to do with my quote? I was just pointing out that in general I'm for PoC to highlight security issues when the vendor doesn't respond, but stealing database.yml makes you nothing more than a simple crook.

this is the earliest version of exploit i've been able to find in the twitter timeline:

https://twitter.com/rubygems/status/296537952320884736 (12:38) 7.27.42 ~ 7 hours ago :(

but there was quite a few exploits pushed

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact