Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URGENT : BUG - Dependency Confusion Vulnerability leads to RCE(Remote Code Execution) #2038

Open
sa3hin opened this issue Dec 10, 2023 · 4 comments
Open

URGENT : BUG - Dependency Confusion Vulnerability leads to RCE(Remote Code Execution) #2038

sa3hin opened this issue Dec 10, 2023 · 4 comments

Comments

@sa3hin
Copy link

sa3hin commented Dec 10, 2023

Title : Dependency Confusion Vulnerability leads to RCE(Remote Code Execution)

Description :

Dependency confusion is a security vulnerability that can occur when a software project's dependencies are replaced with public malicious packages with names matching or not available internal dependencies.

Details :

Check this requirments.txt file, where rtxt-dep1, rtxt-dep2, rtxt-dep3, rtxt-dep4 are required to be installed, but if you check PyPi Projects https://pypi.org/project/rtxt-dep1/ they are not available.

I registered these packages(except rtxt-dep1) and host a malicious script that can execute any cmd on user's computer. So when a user try to install requirements.txt, he/she will get hacked.

Steps-To-Reproduce :

  1. I Registered these PIP Packages :
    rtxt-dep2
    rtxt-dep3
    rtxt-dep4

PoC :

Using this current version, I can fetch these details : Hostname, Username, PWD, IP etc.

  • Basically I can run any CMD on user's computers

Here is the victim's computer details

hostname : <HIDE>
username : root
pwd : <HIDE>
IP : <HIDE>

Impact :

Attacker can Host Malicious Files on this Package, and when any user downloads it, attacker can achieve RCE(Remote Code Execution).

Mitigation :

Once you have reviewed this report, I will remove this Package and you can upload your own ones there. You can also remove these requirements if they are not important for this Program.

Reference :

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Thanks
@sa3hin
@deepuppal198
@jordansissel
Copy link
Owner

I’m not understanding the report.

You reference dependency confusion which seems to rely on someone using internal package registries in addition to public registries in the same installation step, but your PoC relies on the public PyPI only. FPM’s recommended installation method does not use internal or non-public rubygems repositories, nor does fpm’s gemspec specify gems that do not exist.

Can you explain more how this affects fpm, because I don’t understand.

@jordansissel
Copy link
Owner

Check this requirments.txt file

I looked into this file and it is used in the test suite. Do you believe this is vulnerable? I did a little bit of research around the fpm test suite (specific to python) and I did find any indication that this is vulnerable as you describe. Can you help me understand more? I may have missed something as I only reviewed the test suite for a few minutes before drawing my conclusion.

@jordansissel
Copy link
Owner

and I did find any indication

Typo, I meant "I did not find any indication"

@sa3hin
Copy link
Author

sa3hin commented Dec 11, 2023

Hello @jordansissel,

Sorry for the late reply

Check this file spec/fixtures/python/setup.py, and 163 Line of this File spec/fpm/package/python_spec.rb

It required to installrtxt-dep1, txt-dep2, and rtxt-dep4 dependencies using pip
And when any user installed it, Attacker can execute any cmd from his computer

Please DM me here, so i can so you real users entries.

Thank You

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jordansissel @sa3hin