Dependency confusion vulnerability was found in early 2021 by Alex Birsan and helped hackers to gain RCE on some of the biggest tech giants like Apple, Microsoft, and many more.
This vulnerability occurred because individuals/organizations blindly trusted public repositories and commands like these `npm install package_name
` to install dependencies.
In this blog, we will cover all about this vulnerability, from what it is to how to exploit it, in a step-by-step guide.
What is the Dependency Confusion vulnerability?
This type of attack happens when the attacker tricks the person or organization into thinking they are using normal commands to install and upgrade things, but they are actually running bad scripts that can take control of the system. This is a Remote Code Execution attack.
These vulnerabilities are most commonly found in JavaScript applications because it is a highly used language in Web Development. We can discover internal package.json files, which hold important information about projects and gives us the list of public and private packages used and installed in the project.
But these vulnerabilities are also found in Python and ruby projects and all other applications that let users install and use some public and private packages.
Who does Dependency Vulnerability affect?
The dependency confusion vulnerability mostly affects organizations that use Private packages/dependencies for their project and then share their internal package.json or requirements.txt files with the public.
This becomes an issue because an attacker can grab that internal file and check for the private packages not registered with their specific vendors.
Later, this could lead to vulnerabilities because of the blind trust we put in commands like these `npm install package_name
`.
How to find a dependency vulnerability
In this vulnerability, the attacker first tries to get hold of an internal file like package.json or requirements.txt by searching public repositories through fuzzing, Dorking, or any means necessary.
The attacker then takes the package.json file and searches through all the dependencies to find if they are private or public dependencies.
We can search the dependencies manually one by one in the npm registry website or search the list of dependencies all together at once by using a tool called confused, but this tool can sometimes give a false-positive report, so always be ready to double-check with the npm registry website.
If you find a dependency or multiple dependencies that are private and not listed on public registries, then you can start your attack.
How to exploit the Vulnerability?
After finding those Private dependencies names, we have to register those private dependencies names with NPM public registries and remember to register with the same name.
Now let’s start our attack by creating a malicious package. (Note: – From here, we will be working with Terminal.)
- Firstly, we need to Sign-up for an account in NPMJS.
- Open the Terminal and install npm using apt, brew, or yarn, according to your OS.
- Log in to npm using the `name login` command.
- Now type the command `npm init` to create a malicious package. While creating this package, you need to remember two things:
- First, the package name you enter should be the same as the private package you found in package.json.
- Second, the version you enter should be higher than the private package version (i.e., version ^100.0.0). When the victim upgrades or installs the package, npm will install the highest version available.
- Edit the recently created package.json file in your current directory using any editor. Add this line to your scripts object `“preinstall”: “node index.js.”`
- Now create a malicious index.js file which will run before this package installs and collect some of the user info and send it to you, and that will verify if the attack was successful or not.
- Now let’s publish the two files using `npm publish` to the npm registry we just created.
You should wait for the package to install or update on some Individual/Organization systems. Sometimes this could take days, weeks, or even minutes, but once installed after that, our script will gather some info about the server and get back to us via burp collaborator.
Recommendations to fix the vulnerability
The simple way to fix the Dependency Confusion vulnerability in most applications like npm, python, ruby, etc., is to register your private package name on public registries so that attackers can’t use that name for the attack.
If you have many private packages, you can also register a domain name in public registries and then name all your private packages under that domain. This way, you don’t need to register hundreds of names in the public registry. Just a domain name would be enough to protect against attackers.
Bonus: To find and exploit vulnerabilities in a project, you must first obtain its internal file. Then, use a ” confused ” tool to find any vulnerable private packages. Next, create a malicious package with the same name and upload it to the project’s package manager. (Note: You can pre-write those malicious packages, which will automatically call you back when started on the victim server. Later, while creating the exploit, you won’t need to create new malicious packages repeatedly.)
Conclusion
In this article, we only discussed how to exploit npm packages, but there are many more package managers/vendors which are vulnerable to this type of attack (i.e., node, python, ruby, Java, .NET, PHP, objective-c, docker, go, rust).
So if you are concerned about the rising threat of dependency confusion attacks and the potential for RCE vulnerabilities in your code? Don’t take any chances – partner with SecureLayer7 for expert code security and peace of mind.
Our experienced team is well-versed in the latest attack vectors, including dependency confusion. We are here to help you protect your code from any possible vulnerability. We offer a range of services and tailored solutions to meet your specific needs, including code reviews, vulnerability assessments, and penetration testing.
By choosing SecureLayer7, you can be sure that your code is in the best possible hands. Our team of experts will work closely with you to understand your unique situation and recommend the best possible approach to safeguard your code.
With our industry-leading tools and techniques, we will help you identify and remediate vulnerabilities before attackers can exploit them. Are you ready to take the necessary steps to secure your code and prevent RCE attacks, don’t wait any longer. Contact SecureLayer7 today to get started. We guarantee you’ll be glad you did!