Dependency Confusion

Overview

Companies use internal registers for placing both internal and public dependencies. In other words, they try to make a single registries with all dependencies, where dependencies are added by company employees. The goal of this approach is to minimize dependence on public registries and, accordingly, reduce the likelihood that a compromised dependency will be used internally.

However, it is not always possible to prohibit absolutely all traffic to public registries. Therefore, if a package manager tries to find an internal dependency in a public registry when resolving it, this can lead to dependency confusion.

The attack develops along the following way:

Company has an internal package named internal-lib.
internal-lib is not placed within a public registry, such as pypi, npm, rubygems, and etc.
An attacker crafts a package that executes arbitrary code during installation and uploads it to a public registry as internal-lib.
A package manager uses internal-lib from a public registry during installation that leads to code execution.

How to execute code during installation?

Tips

Data collection

To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, you can collect the following data:

username
hostname
current path

Along with the external IPs, there should be enough data to help security teams identify potentially vulnerable systems and avoid mistaking testing as a real attack.

Data retrieval

Since most of the possible targets lie deep within well-protected corporate networks, DNS exfiltration is the best way to retrieve collected data. Send hex-encoded data as a part of a DNS query to a custom authoritative name server. You can use the following resources to implement DNS exfiltration:

1u.ms is a small set of zero-configuration DNS utilities that provide easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents
Interactsh is an OOB interaction gathering server and client library

References

Writeup: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
Report: Insecure Bundler configuration fetching internal Gems (okra) from Rubygems.org
Geek Freak: Dependency Confusion
Writeup: RyotaK's Blog - Remote code execution in cdnjs of Cloudflare
Black Hat EU 2021 - Picking Lockfiles: Attacking and Defending Your Supply Chain
DustiLock is a tool to find which of your dependencies is susceptible to a Dependency Confusion attack.
Confuser is a tool to detect Dependency Confusion vulnerabilities that allows scanning packages.json files, generating and publishing payloads to the NPM repository, and finally aggregating the callbacks from vulnerable targets.

PreviousDependency NextDependency Hijaking

Last updated 2 years ago

Overview

The attack develops along the following way:

Company has an internal package named internal-lib.

internal-lib is not placed within a public registry, such as pypi, npm, rubygems, and etc.

An attacker crafts a package that executes arbitrary code during installation and uploads it to a public registry as internal-lib.

A package manager uses internal-lib from a public registry during installation that leads to code execution.

Tips

Data collection

To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, you can collect the following data:

username

hostname

current path

Along with the external IPs, there should be enough data to help security teams identify potentially vulnerable systems and avoid mistaking testing as a real attack.

Data retrieval

1u.ms is a small set of zero-configuration DNS utilities that provide easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents

Interactsh is an OOB interaction gathering server and client library