Remote Code Execution in Illuvium via Gem Takeover

A real-world example demonstrating how a hijacked gem package can lead to remote code execution that affects users following installation instructions.
·2 minutes reading
Cover Image for Remote Code Execution in Illuvium via Gem Takeover

In September 2023, our tool detected that there were instructions for a user to install and execute the iip_validator gem in Illuvium's GitHub repository: IIPs.

We found that this gem did not exist on RubyGems, so we were able to upload a placeholder package and report it to Illuvium.

How this could have been exploited

In the repository's README.md file, there were instructions for a user to install the gem, and then execute it.

gem install iip_validator
iip_validator <INPUT_FILE>

If an attacker found this before we did and uploaded a malicious package, this could have been exploited in multiple ways to achieve remote code execution (RCE) on a victim's computer or server.

Waiting for intended behavior

Users attempting to validate an IIP would have been hacked. In the README.md file, it suggests that the Illuvium team might be using that gem to validate IIPs before they are approved.

Social engineering

Having control of a package used in a company's installation instructions in their documentation is all an attacker needs nowadays to execute a successful social engineering attack, leading to compromise of the organization.

It is an easy way for a hacker to social engineer someone to install malware. The victim would not normally question installation instructions from a company's official repository or documentation, and execute any commands they are told.

Bug fix

The bug was fixed shortly after we reported it. The Illuvium team fixed the vulnerability by removing the installation instructions.

Disclosure timeline
  • Sept 26, 2023 : Bug reported on Immunefi Bug Bounty program.
  • Sept 27, 2023 : Bug fixed.
  • Oct 5, 2023 : $4000 bounty awarded.

How attacks like this can be prevented

This vulnerability could have been avoided by:

❌ Spending days double-checking every package in your organization's documentation manually. 😓

✅ Using SupplyShark to detect the issue automatically! 🥳

SupplyShark detects this type of vulnerability in our continuous monitoring services and will alert you immediately if a gem being used in your project is available to be registered.

Sign up for SupplyShark to get started securing your supply chain!