A flaw in argument injection made RCE risky
SonarSource researchers discovered a vulnerability in one of Composer’s key parts that might have been exploited to attack code repositories. The primary package manager for PHP applications.
Composers can find and download software dependencies that programmers put in their projects thanks to Packagist, a vulnerable component. Every month, Composer distributes about two billion software packages.
According to a technical blog post by SonarSource, the flaw may have possibly been used to spread malicious backdoored packages to servers.
The security issue put an estimated 3500,000 dependents in danger.
Fortunately, the flaw was quickly fixed by the project maintainers after it was discovered.
Argument injection
A supply chain attack vulnerability in Packagist was discovered and reported by SonarSource a year before the new flaw discovery. In order to resolve dependencies from code repositories, classes that deal with version control systems (VCS). These include Git, Mercurial, and Subversion had a previous problem.
The maintainers of Packagist addressed the vulnerability, but SonarSource researchers discovered that other implementations of the same class remained open to potential attack.
According to Thomas Chauchefoin, a vulnerability researcher at SonarSource, “Our past study helped us traverse swiftly to the juicy areas of the code base, but at the same time, we’ve missed this flaw numerous times when evaluating code and patches linked to our previous finding.”
Packagist pulls content from readme.md or a user-specified file in the code repository to display information about packages. Separate solutions for obtaining file data from various VCS systems are included in Packagist. Each of these implementations builds a shell command from the user-supplied file’s contents.
If an attacker added harmful commands to the information file, according to SonarSource, the commands would be included as inputs to the shell command that was executed on the machine. Additionally, Packagist left several openings while using escape techniques to prevent dangerous code.
Supply chain attack
The researchers demonstrate how the flaw can be used to execute arbitrary commands on the server in a proof-of-concept video.
The software development pipeline could be harmed if the attacker used the flaw to change a package’s specification and point it in an unwanted direction.
According to Chauchefoin, “Defending against argument injection problems is really uncommon compared to all the strategies we’ve been promoting to developers in the past decade. And I guess that’s why we’ve been finding them so frequently.”
Although third-party data can be encoded, escaped, and rigorously checked, that’s sometimes insufficient.
Protect yourself
Shortly after SonarSource informed Packagist of the flaw, it was patched. You are already protected if you are using the default official Packagist instance or Private Packagist. You must update to one of the patched versions of the library if you’ve incorporated Composer as a library and use untrusted repositories.
Since these are important initiatives that have years of work behind them, nothing changed in the year since our prior discovery, Chauchefoin explained.
The workflows of millions of developers would undoubtedly experience non-trivial adjustments. If features like the signature of any build artefacts (i.e., packages) were enforced.
Chauchefoin expressed optimism that greater adoption of innovative standards like sigstore may reduce the dangers of supply chain threats.
“Ideally, package managers should just act as conduits connecting package maintainers and users, with no access to the information flowing inside. The trick is to sign everything, and sigstore makes that much easier to do,” he stated.
