An gano lambar ƙeta a cikin abokin ciniki da sauran fakiti 10 na Ruby

A cikin sanannen fakitin gem abokin ciniki, tare da jimlar zazzagewar miliyan 113, gano Sauya lambar ɓarna (CVE-2019-15224) wacce ke zazzage umarni masu aiwatarwa da aika bayanai zuwa mai masaukin baki na waje. An kai harin ne ta hanyar sasantawa Developer account rest-abokin ciniki a cikin rubygems.org ma'ajiyar, bayan haka maharan buga saki 13-14 a kan Agusta 1.6.10 da 1.6.13, wanda ya hada da qeta canje-canje. Kafin a toshe nau'ikan ɓarna, masu amfani kusan dubu sun sami damar saukar da su (masu kai harin sun fitar da sabuntawa zuwa tsoffin juzu'in don kar a jawo hankali).

Canjin ƙeta ya ƙetare hanyar "#authenticate" a cikin aji
Identity, bayan haka kowace hanya ta haifar da kira a cikin imel da kalmar sirri da aka aika yayin ƙoƙarin tantancewa da ake aika wa mai masaukin maharan. Ta wannan hanyar, ana kama sigogin shiga na masu amfani da sabis ta amfani da ajin Identity da shigar da sigar maɗaukakiyar ɗakin karatu na abokin ciniki, wanda fasali a matsayin abin dogaro a cikin shahararrun fakitin Ruby da yawa, gami da ast (zazzagewa miliyan 64), oauth (miliyan 32), fastlane (miliyan 18), da kubeclient (miliyan 3.7).

Bugu da ƙari, an ƙara ƙofar baya zuwa lambar, yana ba da damar yin amfani da lambar Ruby na sabani ta hanyar aikin eval. Ana watsa lambar ta hanyar kuki wanda maɓallin maharin ya tabbatar. Don sanar da maharan game da shigar da fakitin ɓarna a kan mai masaukin waje, ana aika URL na tsarin wanda aka azabtar da zaɓi na bayanai game da muhalli, kamar su kalmar sirri da aka adana don DBMS da sabis na girgije,. Ƙoƙarin zazzage rubutun don hakar ma'adinan cryptocurrency an yi rikodin su ta amfani da lambar mugunta da aka ambata a sama.

Bayan nazarin lambar ƙeta ya kasance bayyanacewa canje-canje iri ɗaya suna cikin fakiti 10 a cikin Ruby Gems, waɗanda ba a kama su ba, amma an shirya su musamman ta hanyar maharan bisa ga wasu mashahuran ɗakunan karatu da sunaye iri ɗaya, inda aka maye gurbin dash ɗin da alama ko akasin haka (misali, dangane da cron-parser an ƙirƙiri fakitin ƙeta cron_parser, kuma bisa doge_coin fakitin doge-coin malicious). Fakitin matsala:

• tsabar kudi_base: 4.2.2, 4.2.1
• blockchain_wallet: 0.0.6, 0.0.7
• ban mamaki-bot: 1.18.0
• doge-coin: 1.0.2
• capistrano-launi: 0.5.5
• bitcoin_banza: 4.3.3
• lita_coin: 0.0.3
• zuwa-da sannu: 0.2.8
• omniauth_amazon: 1.0.1
• cron_parser: 1.0.12, 1.0.13, 0.1.4

An buga fakitin mugunta na farko daga wannan jerin a ranar 12 ga Mayu, amma yawancinsu sun bayyana a watan Yuli. Gabaɗaya, an sauke waɗannan fakitin kusan sau 2500.

source: budenet.ru