Dependency Confusion

Overview

Companies use internal registers for placing both internal and public dependencies. In other words, they try to make a single registries with all dependencies, where dependencies are added by company employees. The goal of this approach is to minimize dependence on public registries and, accordingly, reduce the likelihood that a compromised dependency will be used internally.

However, it is not always possible to prohibit absolutely all traffic to public registries. Therefore, if a package manager tries to find an internal dependency in a public registry when resolving it, this can lead to dependency confusion.

The attack develops along the following way:

  • Company has an internal package named internal-lib.

  • internal-lib is not placed within a public registry, such as pypi, npm, rubygems, and etc.

  • An attacker crafts a package that executes arbitrary code during installation and uploads it to a public registry as internal-lib.

  • A package manager uses internal-lib from a public registry during installation that leads to code execution.

How to execute code during installation?

Tips

Data collection

To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, you can collect the following data:

  • username

  • hostname

  • current path

Along with the external IPs, there should be enough data to help security teams identify potentially vulnerable systems and avoid mistaking testing as a real attack.

Data retrieval

Since most of the possible targets lie deep within well-protected corporate networks, DNS exfiltration is the best way to retrieve collected data. Send hex-encoded data as a part of a DNS query to a custom authoritative name server. You can use the following resources to implement DNS exfiltration:

  • 1u.ms is a small set of zero-configuration DNS utilities that provide easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents

  • Interactsh is an OOB interaction gathering server and client library

References

Last updated