Dependency Confusion
Overview
Companies use internal registers for placing both internal and public dependencies. In other words, they try to make a single registries with all dependencies, where dependencies are added by company employees. The goal of this approach is to minimize dependence on public registries and, accordingly, reduce the likelihood that a compromised dependency will be used internally.
However, it is not always possible to prohibit absolutely all traffic to public registries. Therefore, if a package manager tries to find an internal dependency in a public registry when resolving it, this can lead to dependency confusion.
The attack develops along the following way:
Company has an internal package named
internal-lib
.internal-lib
is not placed within a public registry, such as pypi, npm, rubygems, and etc.An attacker crafts a package that executes arbitrary code during installation and uploads it to a public registry as
internal-lib
.A package manager uses
internal-lib
from a public registry during installation that leads to code execution.
How to execute code during installation?
Tips
Data collection
To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, you can collect the following data:
username
hostname
current path
Along with the external IPs, there should be enough data to help security teams identify potentially vulnerable systems and avoid mistaking testing as a real attack.
Data retrieval
Since most of the possible targets lie deep within well-protected corporate networks, DNS exfiltration is the best way to retrieve collected data. Send hex-encoded data as a part of a DNS query to a custom authoritative name server. You can use the following resources to implement DNS exfiltration:
1u.ms is a small set of zero-configuration DNS utilities that provide easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents
Interactsh is an OOB interaction gathering server and client library
References
DustiLock is a tool to find which of your dependencies is susceptible to a Dependency Confusion attack.
Confuser is a tool to detect Dependency Confusion vulnerabilities that allows scanning
packages.json
files, generating and publishing payloads to the NPM repository, and finally aggregating the callbacks from vulnerable targets.
Last updated