[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps (was "Re: Need to release 0.9.1 due to security exploit")
pabs at pablotron.org
Wed Jan 17 10:58:48 EST 2007
* Tom Copeland (tom at infoether.com) wrote:
> On Tue, 2007-01-16 at 23:05 -0500, Paul Duncan wrote:
> > if I
> > wanted to install a trojan on thousands of peoples' machines, all I'd
> > need to do would be to build a malicious gem (see below), called
> > "rails-2.0" and upload it to my gem directory, then sit and wait.
> Hm, but that gem wouldn't be deployed on the RubyForge gem index unless
> it was uploaded to the rails project on RubyForge... so only folks who
> deliberately downloaded the gem from your project area would get
That's a good start, but it doesn't address the situation where one of
the mirrors or RubyForge itself is compromised, and a malicious gem is
forcibly inserted into the rotation.
Paul Duncan <pabs at pablotron.org> OpenPGP Key ID: 0x82C29562
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://rubyforge.org/pipermail/rubygems-developers/attachments/20070117/29e679de/attachment.bin
More information about the Rubygems-developers