{"id":725,"date":"2024-10-14T11:01:00","date_gmt":"2024-10-14T11:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=725"},"modified":"2024-10-14T11:01:00","modified_gmt":"2024-10-14T11:01:00","slug":"open-source-package-entry-points-could-be-used-for-command-jacking","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=725","title":{"rendered":"Open source package entry points could be used for command jacking"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Open source application packages, including those in Python and JavaScript, have a vulnerability in their entry points that could be used by threat actors to execute malicious code to steal data, plant malware, and more.<\/p>\n<p>This warning to developers and infosec leaders comes in <a href=\"https:\/\/checkmarx.com\/blog\/this-new-supply-chain-attack-technique-can-trojanize-all-your-cli-commands\/\">a report<\/a> released today by researchers at Checkmarx.<\/p>\n<p>They dub the techniques \u201ccommand jacking,\u201d because attackers can use entry points to run specific commands impersonating popular third-party tools and system commands. But attackers could also leverage malicious plugins and extensions.<\/p>\n<p>\u201cEntry point attacks, while requiring user interaction, offer attackers a more stealthy and persistent method of compromising systems [than other tactics], potentially bypassing traditional security checks,\u201d the report warns.<\/p>\n<p>Over the past two years, many researchers have warned that open source package managers are places where threat actors deposit malicious copies of legitimate tools or libraries that developers want, often mimicking or copying the names of these tools \u2013 a technique called typosquatting \u2014 to fool unsuspecting developers.<\/p>\n<p>This latest report is another example of why developers need to be careful when choosing packages to download from open source code repositories.<\/p>\n<p>For example, in March,<a href=\"https:\/\/www.csoonline.com\/article\/2066300\/hackers-drop-risepro-info-stealers-through-github-repositories.html\"> a cybersecurity company warned<\/a> that threat actors had created multiple GitHub repositories, posing as cracked software, to drop the RisePro info-stealer into applications.<\/p>\n<p>Another tactic is<a href=\"https:\/\/www.csoonline.com\/article\/570433\/dependency-confusion-explained-another-risk-when-using-open-source-repositories.html\"> dependency confusion<\/a>, which relies on a threat actor publishing a malicious version of a package with a different version number than the legitimate package.<\/p>\n<p>The Checkmarx researchers say the entry point attack vector exists in several major languages and package managers, including npm (JavaScript), Ruby Gems, NuGet (.NET), Dart Pub, and Rust Crates.<\/p>\n<p>While this method doesn\u2019t allow for immediate system compromise as do automatic scripts or malicious dependencies, Checkmarx says it offers a subtler approach for patient attackers to infiltrate systems, potentially evading standard security measures.<\/p>\n<p>First, a primer: Application entry points control users\u2019 access. The report describes them as a power feature on a packaging system that allows developers to expose specific functions through a command line without requiring users to know the exact import path or structure of the package. Entry points allow the creation of command line scripts that users can run after installing a package, or define plugin systems where third party packages can extend the functionality of a core package. The location and format of entry point definitions vary depending on whether the package is a source or wheel distribution.<\/p>\n<p>The most popular entry point in Python, for example, is \u201cconsole_scripts,\u201d which points to a function the developer wants to be made available as a command line tool to whoever installs a package.<\/p>\n<p>When a package is installed, says the report, these entry points are recorded in the package\u2019s metadata. Other packages or tools can then query this metadata to discover and use the defined entry points.<\/p>\n<p>\u201cIf an attacker can manipulate a legitimate package\u2019s metadata or convince a user to install a malicious package, they can potentially execute arbitrary code on the user\u2019s system whenever the defined command or plugin is invoked,\u201d say the researchers.<\/p>\n<p>The tactic the researchers call command jacking involves using entry points to masquerade as widely-used third-party tools. \u201cThis tactic is particularly effective against developers who frequently use these tools in their workflows,\u201d the report notes. For instance, an attacker might create a package with a malicious \u2018aws\u2019 entry point. When unsuspecting developers who regularly use AWS services install this package and later execute the aws command, the fake \u2018aws\u2019 command could exfiltrate their AWS access keys and secrets.<\/p>\n<p>\u201cThis attack could be devastating in CI\/CD [continuous integration\/continuous delivery] environments, where AWS credentials are often stored for automated deployments,\u201d says the report, \u201cpotentially giving the attacker access to entire cloud infrastructures.<\/p>\n<p>Another example could be a malicious package impersonating the \u2018docker\u2019 command, targeting developers working with containerized applications. The fake \u2018docker\u2019 command might secretly send images or container specifications to the attacker\u2019s server during builds or deployments. In a microservices architecture, this could expose sensitive service configurations or even lead to the exfiltration of proprietary container images, says the report.<\/p>\n<p>Other popular third-party commands that could be potential targets for impersonation include:<\/p>\n<p>npm (the Node.js package manager)<\/p>\n<p>pip (the Python package installer)<\/p>\n<p>git (a version control system)<\/p>\n<p>kubectl (a Kubernetes command-line tool)<\/p>\n<p>terraform (an Infrastructure as Code tool)<\/p>\n<p>gcloud (Google Cloud\u2019s command-line interface)<\/p>\n<p>heroku (the Heroku command line interface)<\/p>\n<p>dotnet (the command line interface for .NET Core)<\/p>\n<p>\u201cEach of these commands is widely used in various development environments, making them attractive targets for attackers looking to maximize the impact of their malicious packages,\u201d says the report.<\/p>\n<p>Another command jacking tactic has been dubbed \u201ccommand wrapping.\u201d Instead of replacing a command, an attacker creates an entry point that acts as a wrapper around the original command. This stealthy approach allows attackers to maintain long-term access and potentially exfiltrate sensitive information without raising suspicion, says the report. However, it adds, implementing command wrapping requires additional research by the attacker. They need to understand the correct paths for the targeted commands on different operating systems and account for potential errors in their code. This complexity increases with the diversity of systems the attack targets.<\/p>\n<p>A third tactic would be creating malicious plugins for popular tools and frameworks. For example, if an attacker wanted to target Python\u2019s pytest testing framework, they would create a plugin which appears to be a utility to help in testing that uses pytest\u2019s entry point. The plugin could then run malicious code in the background, or allow buggy or vulnerable code to pass quality checks.<\/p>\n<p>\u201cIt\u2019s important to clarify that entry points are not inherently problematic,\u201d Yehuda Gelb, a Checkmarx security researcher, told CSO Online. \u201cThey\u2019re a legitimate and useful feature within various language ecosystems, including Python. The vulnerability lies in how this feature can be exploited, not in the feature itself. Rather than \u2018fixing\u2019 entry points, which could break legitimate functionality for many packages, our focus should be on raising awareness among code consumers about the potential risks, and educating them on risk mitigation strategies.\u201d<\/p>\n<p>These strategies include:<\/p>\n<p>verifying the source and integrity of packages before installation<\/p>\n<p>implementing strict code review processes, especially for command line tools<\/p>\n<p>utilizing automated security tools that can detect suspicious entry point usage<\/p>\n<p>\u201cBy concentrating on these areas, we can mitigate the risks associated with entry point manipulation while preserving the functionality and convenience that entry points provide,\u201d Gelb said.<\/p>\n<p>\u201cIt\u2019s crucial to develop comprehensive security measures that account for entry point exploitation,\u201d the report concludes. By understanding and addressing these risks, it said, the security community can work towards a more secure application packaging environment, safeguarding both individual developers and enterprise systems against sophisticated supply chain attacks.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Open source application packages, including those in Python and JavaScript, have a vulnerability in their entry points that could be used by threat actors to execute malicious code to steal data, plant malware, and more. This warning to developers and infosec leaders comes in a report released today by researchers at Checkmarx. They dub the [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":726,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-725","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/725"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=725"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/725\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/726"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}