Skip to content

Instantly share code, notes, and snippets.

@quangDecember

quangDecember/ece-9069-presentation-2.md

Last active March 21, 2021 12:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save quangDecember/c5df217eac4f3801231d016496199f87 to your computer and use it in GitHub Desktop.
Save quangDecember/c5df217eac4f3801231d016496199f87 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ece-9069-presentation-2.md

Package Management exploitation

Presented by Quang and Nikolas

Background

Authors

  • Justin Gardner and Alex Birsan are two “Bug Bounty Hunters”.
  • Bug Bounties: Software organizations will compensate individuals for disclosing any bugs (including security vulnerabilities) found on their platform.
  • In the summer of 2020, they were targeting Paypal to see if they could find any security vulnerabilities worth reporting.

Project Dependencies

  • Helps speed up development time, reduce boilerplate code, and avoid “reinventing the wheel”.
  • As a result, project becomes “dependent” on these packages for it to work as expected.
  • Large projects will likely have many dependencies. How do we keep track of all the 3rd-party code?

Package Managers

  • Many languages have adopted a package management system to help developers keep track and manage their dependencies.
  • Makes it relatively straightforward to install, update and delete packages stored in repositories.
  • For this particular exploit, Alex and Justin only targeted npm, pypi and ruby gems.

Node Package Manager, npm

Setup and Basic Commands

  • Since npm is so common, it is installed alongside Node.js, JavaScript’s runtime environment. Install Node.js
  • Check if npm is installed: npm -v
  • Use npm for your project: npm init
  • Install package (Express in this case): npm i express
  • Install specific version: npm i express@4.3.0
  • Remove package: npm uninstall express

Exploit

Justin stumbled upon an interesting piece of code within one of Paypal’s projects on Github:

Image source

The packages in red did not appear on npm’s official registry. They seem to be specifically for Paypal, hosted on a private npm repository.

Justin Gardner and Alex Birsan wondered:

"What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?"

"Would this attack work against other companies too?"

Source

Exploit Plan

  1. Create a “malicious” JavaScript package.
  • “Malicious” meaning the attack is not actually malicious, per se. Rather, it is meant to be a valid proof of concept to raise enough concern without being too intrusive.
  • They settled on collecting information such as username, hostname, IP address, and the file path of the installed package.
  1. Collect as many private package names as possible.
  • Slightly more difficult. They searched for dependency files (e.g. package.json) inside public repositories such as Github and Gitlab. In addition, JavaScript files which often include the names of all dependencies used for that project.
  • They were able to gather hundreds of private package names from several companies such as Tesla, Apple, PayPal, Shopify, Uber, Netflix and more.
  1. Upload the package to npm under the same name as the private dependencies. For example, auth-paypal, analytics-paypal.
  • Really easy (which is part of the problem).
  1. Wait to see if the packages get installed.
  2. To prove that it worked, log information about the system it was installed on and send it back to Justin and Alex. They settled on collecting information such as username, hostname, IP address, and the file path of the installed package.
  • Difficult since large tech companies have intricate firewalls and intrusion detection systems (IDS).

Overcoming Firewall and IDS

Domain Name System (DNS)

Image source

  • Responsible for translating domain names to their corresponding IP addresses.
  • The vast number of domain names on the Internet today exceed the capacity any one database. DNS follows a distributed model.

DNS Exfiltration

Image source

  • Data gathered by package dependency was encoded into hexadecimal format.
    • Before: {ip: 160.97.6.139, filepath: home/projects/important-project, ... }
    • After: 0x60ab7a9756
  • Alex and Justin preappended the hex code onto a domain name they own.
  • Google’s DNS resolver queried an authoritative server that Justin and Alex control. Subdomain was recorded.

Results

Image source

  • Over 35 organizations installed the “malicious” package (vast majority over 1000 employees).
  • ~75% of successful targets were from npm packages. This is not to say JavaScript packages are more prone to this sort of attack, rather they are more prevelantin industry. The authors reported a 50% success rate for RubyGems (highest out of all three languages tested).

Cause of vulnerability

  • Largely remains unclear. Companies involved in the attack were hesitant to share internal details surrounding their private package management systems.

Python Pypi

  • pip install <package-name> --extra-index-url will check private and public repositories for the specified package. If they both exist, it will default to the higher version.

RubyGem

  • gem install --source will work in a similar fashion.

Conclusion

  • Microsoft authored a white-paper suggesting ways to prevent this type of attack.
  • Alex and Justin received bounties from Shopify, Apple and PayPal, valued at $30,000 each.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment