search

code-423n4 / 2022-03-timeswap-findings

3 stars 0 forks source link

NPM Dependency confusion. Unclaimed NPM Package and Scope/Org #9

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-timeswap/blob/00317d9a8319715a8e28361901ab14fe50d06172/Timeswap/Convenience/package.json#L40

Vulnerability details

Impact

I discovered an npm package and the scope of the package is unclaimed on the NPM website. This will give any User to claim that package and be able to Upload a Malicious Code under that unclaimed package. This results in achieving the Remote code execution on developers/users' machine who depends on the timeswap repository to build it on local env.

Vulnerable Package Name: @timeswap-labs/timeswap-v1-core

Proof of Concept

  1. Create an Organization called "timeswap-labs".
  2. Create a package called "@timeswap-labs/timeswap-v1-core" under "timeswap-labs" Organization.
  3. Attacker can able to upload malicious code on unclaimed npm package with a higher version like 99.99.99
  4. Now If any user/timeswap developer installs it by npm install package.json. The malicious pkg will be executed.

Till now "The Package is not claimed on NPM Registry, but it's vulnerable to dependency confusion". You can read more dependency confusion here: https://dhiyaneshgeek.github.io/web/security/2021/09/04/dependency-confusion/

Tools Used

Nothing Just OSINT

Recommended Mitigation Steps

Claim the Scope name called "timeswap-labs" By Following the above POC Step 1.

amateur-dev commented 2 years ago

Created the organisation. Thank you.

0xleastwood commented 2 years ago

I think this is an interesting attack vector and useful find!

0xleastwood commented 2 years ago

I would normally mark findings unrelated to Solidity code as invalid, however, I think the issue here raises an interesting exploit where an attacker could inject malicious code into a smart contract dependency. As such, I think this is relevant and a valid attack path.