Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Give me a sleeping pill and tell me your troubles.


rocksolid / Hacking / Dependency confusion

SubjectAuthor
o Dependency confusionAnonymous

1
Dependency confusion

<ha.960.2wzhbi@anon.com>

 copy mid

https://rocksolidbbs.com/rocksolid/article-flat.php?id=289&group=rocksolid.shared.hacking#289

 copy link   Newsgroups: rocksolid.shared.hacking
Path: i2pn2.org!rocksolid2!.POSTED.novabbs-internal!not-for-mail
From: poster@anon.com (Anonymous)
Newsgroups: rocksolid.shared.hacking
Subject: Dependency confusion
Date: Wed, 10 Feb 2021 09:13:28 -0800
Organization: rocksolid2 (novabbs.org)
Message-ID: <ha.960.2wzhbi@anon.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=bcf81dd0f20fdead0c8c3cdb8ccdcb16fe7c4d6a
Injection-Info: novabbs.org; posting-account="def2"; posting-host="novabbs-internal:10.136.143.187";
logging-data="28890"; mail-complaints-to="usenet@novabbs.org"
 by: Anonymous - Wed, 10 Feb 2021 17:13 UTC
Attachments: jfrog.png (image/png)

That is a really cool way to get your code to run: just disguise as a legitimate library and let the developers do the rest:

For instance, the main culprit of Python dependency confusion appears to be the incorrect usage of an “insecure by design” command line argument called --extra-index-url. When using this argument with pip install library to specify your own package index, you may find that it works as expected, but what pip is actually doing behind the scenes goes something like this:

Checks whether library exists on the specified (internal) package index
Checks whether library exists on the public package index (PyPI)
Installs whichever version is found. If the package exists on both, it defaults to installing from the source with the higher version number.

Therefore, uploading a package named library 9000.0.0 to PyPI would result in the dependency being hijacked in the example above.

Although this behavior was already commonly known, simply searching GitHub for --extra-index-url was enough to find a few vulnerable scripts belonging to large organizations — including a bug affecting a component of Microsoft’s .NET Core. The vulnerability, which may have allowed adding backdoors to .NET Core, was unfortunately found to be out of scope in the .NET bug bounty program.

(https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)

Attachments: jfrog.png 
1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor