ruby-packer icon indicating copy to clipboard operation
ruby-packer copied to clipboard
verified publisher icon pmq20

Using predictable tmp directory

Open stahnma opened this issue 8 years ago • 4 comments

When building projects with rubyc/ruby-packer., it uses a predictable name, in /tmp. If this is happening, an attacker could put their own payloads and instructions in that location. Additonally, it prevents multiple builds using ruby-packer from happening at the same time on the same system.

stahnma avatar Aug 25 '17 01:08 stahnma

You could use your own location for temp directory, sample of use: tasks/gem/compile#L64.

SwagDevOps avatar Aug 25 '17 07:08 SwagDevOps

This should be fixed in ruby-packer. It's legitimate security issue.

0x1eef avatar Aug 25 '17 12:08 0x1eef

I seen similar in the past with tools like this:

loop do
  File.binwrite "evilpayload", File.join("tmp", "ruby")
end

If this is running all the time, then it's possible due to race condition that ruby-packer launches "evilpayload" instead of ruby.

0x1eef avatar Aug 25 '17 13:08 0x1eef

Also more sophisticated solutions at hand using FS events. Which is why i think ruby-packer needs a robust solution to this problem.

0x1eef avatar Aug 25 '17 13:08 0x1eef