-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
URGENT : BUG - Dependency Confusion Vulnerability leads to RCE(Remote Code Execution) #2038
Comments
I’m not understanding the report. You reference dependency confusion which seems to rely on someone using internal package registries in addition to public registries in the same installation step, but your PoC relies on the public PyPI only. FPM’s recommended installation method does not use internal or non-public rubygems repositories, nor does fpm’s gemspec specify gems that do not exist. Can you explain more how this affects fpm, because I don’t understand. |
I looked into this file and it is used in the test suite. Do you believe this is vulnerable? I did a little bit of research around the fpm test suite (specific to python) and I did find any indication that this is vulnerable as you describe. Can you help me understand more? I may have missed something as I only reviewed the test suite for a few minutes before drawing my conclusion. |
Typo, I meant "I did not find any indication" |
Hello @jordansissel, Sorry for the late reply Check this file spec/fixtures/python/setup.py, and It required to install Please DM me here, so i can so you real users entries. Thank You |
Title : Dependency Confusion Vulnerability leads to RCE(Remote Code Execution)
Description :
Dependency confusion is a security vulnerability that can occur when a software project's dependencies are replaced with public malicious packages with names matching or not available internal dependencies.
Details :
Check this requirments.txt file, where
rtxt-dep1
,rtxt-dep2
,rtxt-dep3
,rtxt-dep4
are required to be installed, but if you check PyPi Projects https://pypi.org/project/rtxt-dep1/ they are not available.I registered these packages(except
rtxt-dep1
) and host a malicious script that can execute any cmd on user's computer. So when a user try to installrequirements.txt
, he/she will get hacked.Steps-To-Reproduce :
rtxt-dep2
rtxt-dep3
rtxt-dep4
PoC :
Using this current version, I can fetch these details : Hostname, Username, PWD, IP etc.
Here is the victim's computer details
Impact :
Attacker can Host Malicious Files on this Package, and when any user downloads it, attacker can achieve RCE(Remote Code Execution).
Mitigation :
Once you have reviewed this report, I will remove this Package and you can upload your own ones there. You can also remove these requirements if they are not important for this Program.
Reference :
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
Thanks
@sa3hin
@deepuppal198
The text was updated successfully, but these errors were encountered: