Open GoogleCodeExporter opened 9 years ago
Same problem at mine computer! I'm running Windows 7 x64, Ruby 1.9.2-p290,
Origami 1.2.3... Anti-virus software is ESET Smart Security 4 (NOD32).
Regards,
Stole
Original comment by condor...@gmail.com
on 25 Oct 2011 at 12:40
Hello,
Origami ships with a few exploit samples taken from old vulnerabilities in the
wild.
As they contain potentially malicious JS scripts, they may be detected as
malware, although they shouldn't since they are contained in Ruby scripts.
does your AV software reports which files are concerned?
Original comment by guilla...@security-labs.org
on 25 Oct 2011 at 6:27
Thanks for the response...
About AV report, well, I have not paid attention. :( I exited my AV, installed
gem, and then started AV again. I will try to reproduce issue on my other
computer, I will let You know.
Regards,
Stole
Original comment by condor...@gmail.com
on 25 Oct 2011 at 7:36
Hi,
Here is the log of NOD AV:
http://production.cf.rubygems.org/gems/origami-1.2.3.gem multiple
threats connection terminated - quarantined Threat was detected upon access to
web by the application: C:\Ruby192\bin\ruby.exe.
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR »
data.tar.gz multiple threats
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR » data.tar.gz
» GZIP » data.tar multiple threats
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR » data.tar.gz
» GZIP » data.tar » TAR »
samples/exploits/cve-2008-2992-utilprintf.rb JS/Exploit.Shellcode.A.gen trojan
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR » data.tar.gz
» GZIP » data.tar » TAR »
samples/exploits/cve-2009-0927-geticon.rb JS/Exploit.Shellcode.B trojan
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR » data.tar.gz
» GZIP » data.tar » TAR »
samples/exploits/exploit_customdictopen.rb JS/Exploit.Shellcode.A.gen trojan
http://production.cf.rubygems.org/gems/origami-1.2.3.gem » TAR » data.tar.gz
» GZIP » data.tar » TAR »
samples/exploits/getannots.rb JS/Exploit.Shellcode.A.gen trojan
Regards,
Stole
Original comment by condor...@gmail.com
on 26 Oct 2011 at 11:13
Yes, I tried installing origami 1.2.3 gem, McAfee didn't like
exploit_customdictopen.rb when it was unpacking in folder C:\Ruby
193\lib\ruby\gems\1.9.1\cache\origami-1.2.3.gem\data.tar.gz\data.tar.
It "detects" it as JS/Exploit-BO.gen.
Unfortunately, my AV product is controlled by group policy, and I can't
configure it to ignore it.
I'm going to install it on linux instead, but if you wanted to know what it was
hitting the above was it.
Original comment by jamie.ko...@gmail.com
on 10 Nov 2011 at 9:41
corp policy won't allow this gem. they are triggered as well. Can a ruby file be used as an actual exploit somehow? Or is it truly completely safe?
Original issue reported on code.google.com by
emiliano...@iris-advies.com
on 20 Oct 2011 at 7:33