Trojaned Gems: You can't tell you're using one

Trojaned Gems: You can't tell you're usingĀ one

This talk was presented at THOTCON 0x6, Beacon and OWASP Chicago. Brandon Myers and I talk about our research on Ruby Gem security. We talk about RubyGem 101 basics, transport layer security risks, how to trojan a gem, and discuss how to bypass gem signing. We also discuss a research tool we created to demonstrate the exploitation and trojaning process. We also provide guidance on how developers and users can better protect themselves from such weaknesses.

Demonstration Video #1: Gem Install Request Hijacking
https://vimeo.com/130781378

Demonstration Video #2: Trojaning a Gem in Transit
https://vimeo.com/130781377

Demonstration Video #3: Bypassing Signed Gems (on MediumSecurity)
https://vimeo.com/130781379

Blog Post:
https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/?page=1&year=0&month=0

Edb7903a55645abee02925213e0d25b2?s=128

Jonathan Claudius

May 15, 2015
Tweet