Vulnerability Focus: Remote Code Execution (RCE) Attacks

This week’s edition is all about remote code execution attacks. We have a cross-site scripting (XSS) vulnerability in the ever popular http-file-server which could lead to the execution of arbitrary JavaScript code in an unsuspecting victim’s browser.  On the other hand, we have a RubyGem exposure whose sheer magnitude led to the discovery of a potential cryptocurrency mining scheme. 

  • CVE-2019-15224 A code-execution backdoor in rest-client version 1.6.13 could lead to privilege escalation attacks
  • CVE-2019-5458 A cross-site scripting (XSS) vulnerability in all versions of http-file-server, a third-party Node.JS module

CVE-2019-15224

Vulnerability Score: TBD  (CVSS v3.0)

Platform: Ruby

Component: rest-client

Affected versions: v1.6.10 through v1.6.13

A malicious code-execution backdoor has just been located in version 1.6.13 of rest-client – a popular HTTP and REST (REpresentational State Transfer) client software package for Ruby. In essence, REST is an architectural style that standardizes modes of communication among different computer systems on the web. To delve a bit deeper, RESTful systems are stateless, and they separate concerns from client-side and server-side – the Ruby rest-client oversees requests sent to the server in order to retrieve or modify data stored on the server. 

In this compromised  version, the injected code within the gem would fetch malicious code from pastebin.com and send it to the attacker’s server to retrieve sensitive information from the client’s host machine. Kudos to Jussi Kuljonen for catching this vulnerability and promptly notifying the GitHub community on 19 August 2019.  Aside from that, he also pointed out that rest-client version 1.6.10 leading up to version 1.6.13, which have since been yanked, were also compromised. 

This is an image of how a hacker exploits the Ruby gem rest-client library with remote code execution, in a web application.
Remote Code Execution Exploit of Ruby Gem rest-client library

This is dangerous territory for users of said gem, as third-party attackers could exploit this vulnerability to perform remote code execution for personal gains. This could be in the form of privilege escalation attacks, whereby attackers could execute malicious code on the host’s server to access credentials of services used by a hosting site (i.e. database, payment service provider).

It should be noted this 1.6.13  version is considerably dated, as the latest rest-client version is 2.1.0.rc1. This raised suspicions among the DevOps community that this incident might have been a targeted attack.

This discovery then instigated a wider instigation which revealed that the same code was found in almost a dozen other gems: bitcoin_vanity, blockchain_wallet, omniauth_amazon, cron_parser, coin_base,  lita_coin, awesome-bot, doge-coin, and capistrano-colors. It has been established that the attacker(s) wanted to exploit the infected hosts to covertly mine cryptocurrency. 

In terms of scope of impact, the rest-client  version 1.6.13, which sparked the uncovering of this malicious plot, has had 1061 downloads. On the other hand, the total download count for all the compromised gems is a little over 3500. Regardless, the chaos ceases here as all affected gems have been removed by the RubyGems team – the compromised accounts of developers have also been locked for good measure.

As for the availability of a fix, version 1.6.14 (identical to the unaffected  v1.6.9) has been released to replace all compromised versions in the legacy 1.6.x series. To check your apps’ depencies, versions <= 1.6.9 or >= 1.6.14 are unaffected. If your version of the rest-client gems falls in between, you are advised to download the patch immediately. Don’t say you haven’t been warned!

CVE-2019-5457, CVE-2019-5458

Vulnerability Score: Medium — 5.4  (CVSS v3.0)

Platform: Node.JS 

Components: http-file-server, min-http-server

Affected versions: All versions

Look alive, all you http-file-server and min-http-server users! A cross-site scripting (XSS) vulnerability has been found in these third-party Node.JS modules. The HTTP File Server (HFS) is a web server used for the publishing and sharing of files. 

By definition, XSS is a type of cybersecurity vulnerability that enables attackers to inject client-side scripts into web pages viewed by unsuspecting users. Implications of XSS vary in range (i.e. petty nuisance to  critical security risk), depending on the nature of the data stored on the vulnerable site’s server and the strength of the security mitigation measures adopted by the site’s network.

In this instance, this cross-site scripting (XSS) vulnerability is the attack vector – it enables hackers with access to the server-file system to inject malicious Javascript-based scripts in the file name, so that these scripts will be automatically executed on the victim’s browser when files are listed. In technical jargon, this is known as improper neutralization of input during web page generation. The occurrence of this XSS vulnerability is due to the unsanitized  and invalid HTML input in the module filenames – it allows any injected and stored scripts within the server to be executed in the client’s browser.

The http-file-server has unfortunately been declared dead, and no known fixes have been made available to HFS users. The good news is that the project has been yanked to prevent further exploits such as hijacking of user sessions or phishing to steal user credentials. Credits to An Nguyen for disclosing these easily exploitable vulnerabilities to the DevSecOps community!

To end things, we will leave you with some helpful tips on cross-site scripting prevention methods. One should check that user input has been sanitized and that potentially executable characters have been properly encoded to avoid having them interpreted as executable code. It is also worth validating input as it stops users from adding special characters into webpage data entry fields by refusing the request – this mitigates the impact should an attacker discover such an XSS vulnerability.  We suggest you bookmark this useful resource: Cross Site Scripting Prevention Cheat Sheet, too!  

Found this useful? Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Remote Code Execution (RCE) Attacks