CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Stealing RubyGems API Keys during Post Exploitation

Between April and May of 2013, I presented at SOURCE Boston and THOTCON and blogged about some of my research involving the exploitation of continuous integration/delivery (CI/CD) services using malicious unit-tests as a remote code execution (RCE) attack vector.

During that time, I explored a number of fun post-exploitation scenarios that an attacker could use if they had successfully exploited the CI/CD infrastructure or build chain. This included attacking the build target directly, pivoting to adjacent systems, and abusing trust relationships that are imparted on these systems by their owners.

In this blog post, I want to briefly explore RubyGems API keys, which I only lightly touched on in my previous research.

What Are RubyGems API Keys?

As I discussed in a more recent blog post on signed RubyGems, a Ruby gem is a simple container for code and other relevant bits that can be portably installed by end-users with a single command, like "gem install gem_name".

What makes this possible is a centralized repository maintained by RubyGems.org at no cost to gem authors. In order for gem authors to push up new versions of their gems, they need to first authenticate with the RubyGems system with their username and password and a RubyGems API token is then automatically persisted on the developer's workstation or CI/CD system.

Once a given system has the RubyGems API key stored locally, a username and password is no longer required to push new gem versions. When a new Ruby gem needs to be published, the command of "gem push gem_name.gem" is used, and the system references the locally stored API key to authenticate the publish request.

Why Are RubyGems API Keys "Risky"?

When RubyGems API keys are stored on the system, in the above mentioned process, they are stored in the current users home directory in ~/.gem/credentials.

A typical credentials file would look something like this:

$ cat ~/.gem/credentials
---
:rubygems_api_key: 948979d097a4b11d029bf53f6d371829

There are concerns with this approach, in that the key is not encrypted or protected in any way, which could allow an attacker to quickly gather the key and use it to publish potentially malicious gems on the developer's behalf. This means an unsuspecting user trying to install the real gem (from RubyGems.org) could end up installing an attacker-controlled gem yielding additional RCE scenarios. Ouch!

A New Metasploit Post Exploitation Module

Today, I'd like to announce a new Metasploit module ("Multi Gather RubyGems API Key") that I've written to make the process of stealing these keys that much easier.

Why would I do such a thing? Well, it's because I would like to see the security of these API keys improve, and one of the ways we can influence change is by making it easier for security consultants and penetration testers to demonstrate this risk to our customers when build/developer systems are compromised during security assessments.

A prerequisite for using this new Metasploit module is having an existing Metasploit session on a target (the initial attack vector to get the session is irrelevant). Once you set the session id, the post module can extract RubyGems API keys from all users on the system, like so:

9535_5f173e36-8835-4e37-9f63-24e936dfb740

This module is currently available in the master branch of the Metasploit Framework GitHub repository here and was included in last Friday's Metasploit release.

Lastly, I'd like to sincerely thank @_sinner for his timely and thorough review during the development of this post module.

UPDATE – 02/06/2015

For those of you who have contacted me privately thinking I revealed my RubyGems API key, thank you for your concern.

I submit this for your consideration.

$ echo "SpidersAreFun" | md5

948979d097a4b11d029bf53f6d371829

Have a great day!

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More