search

jordansissel / fpm

Effing package management! Build packages for multiple platforms (deb, rpm, etc) with great ease and sanity.
http://fpm.readthedocs.io/en/latest/
Other
11.17k stars 1.07k forks source link

URGENT : BUG - Dependency Confusion Vulnerability leads to RCE(Remote Code Execution) #2038

Open sa3hin opened 11 months ago

sa3hin commented 11 months ago

Title : Dependency Confusion Vulnerability leads to RCE(Remote Code Execution)

Description :

Dependency confusion is a security vulnerability that can occur when a software project's dependencies are replaced with public malicious packages with names matching or not available internal dependencies.

Details :

Check this requirments.txt file, where rtxt-dep1, rtxt-dep2, rtxt-dep3, rtxt-dep4 are required to be installed, but if you check PyPi Projects https://pypi.org/project/rtxt-dep1/ they are not available.

I registered these packages(except rtxt-dep1) and host a malicious script that can execute any cmd on user's computer. So when a user try to install requirements.txt, he/she will get hacked.

Steps-To-Reproduce :

  1. I Registered these PIP Packages : rtxt-dep2 rtxt-dep3 rtxt-dep4

PoC :

Using this current version, I can fetch these details : Hostname, Username, PWD, IP etc.

Here is the victim's computer details

hostname : <HIDE>
username : root
pwd : <HIDE>
IP : <HIDE>

Impact :

Attacker can Host Malicious Files on this Package, and when any user downloads it, attacker can achieve RCE(Remote Code Execution).

Mitigation :

Once you have reviewed this report, I will remove this Package and you can upload your own ones there. You can also remove these requirements if they are not important for this Program.

Reference :

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Thanks @sa3hin @deepuppal198

jordansissel commented 11 months ago

I’m not understanding the report.

You reference dependency confusion which seems to rely on someone using internal package registries in addition to public registries in the same installation step, but your PoC relies on the public PyPI only. FPM’s recommended installation method does not use internal or non-public rubygems repositories, nor does fpm’s gemspec specify gems that do not exist.

Can you explain more how this affects fpm, because I don’t understand.

jordansissel commented 11 months ago

Check this requirments.txt file

I looked into this file and it is used in the test suite. Do you believe this is vulnerable? I did a little bit of research around the fpm test suite (specific to python) and I did find any indication that this is vulnerable as you describe. Can you help me understand more? I may have missed something as I only reviewed the test suite for a few minutes before drawing my conclusion.

jordansissel commented 11 months ago

and I did find any indication

Typo, I meant "I did not find any indication"

sa3hin commented 11 months ago

Hello @jordansissel,

Sorry for the late reply

Check this file spec/fixtures/python/setup.py, and 163 Line of this File spec/fpm/package/python_spec.rb

It required to installrtxt-dep1, txt-dep2, and rtxt-dep4 dependencies using pip And when any user installed it, Attacker can execute any cmd from his computer

Please DM me here, so i can so you real users entries.

Thank You