Remote Code Execution via Dependency Confusion

The following write-up details how I discovered a dependency confusion vulnerability on a HackerOne private program, leading to remote code execution.

Let's refer to the organization as orgxyz.

While running fuff on one of orgxyz's subdomains, I stumbled upon a disclosed package-lock.json file, specifically engineering.orgxyz.com/package-lock.json.

The file contained over 100 packages, sparking the idea to test for dependency confusion.

What is dependency confusion?

Dependency confusion, also known as "substitution attacks," is a sneaky tactic hackers use to trick developers. They upload malicious code to public libraries, pretending it's a trusted internal one. When developers use these libraries, they accidentally download the harmful code. It's like getting fake medicine instead of the real thing.

Read more...

Thus, the challenge was to identify missing NPM packages. Fortunately, the package-lock.json included NPM registry URLs, prompting me to ping each URL to detect missing packages.

I sought assistance from ChatGPT to obtain a Bash script that would provide the status code after visiting each URL. A 404 status code indicated a missing package, notably orgxyz-css-1.0.4.tgz.

Hosting the package orgxyz-css-1.0.4 on NPM with a higher version could potentially lead to an internal application or server within orgxyz inadvertently executing my code.

Next steps:

1. Create an account on npmjs.com.
2. Develop an index.js script to send a ping back to a canary token or Burp collaborator URL if executed.

3. Compose a package.json specifying the missing package name. Ensure to use a higher package version for automatic pull.

4. Publish the package and await triggered canary tokens.
5. About three hours later, I received an email notification confirming the execution of my code on orgxyz's system.

6. Next morning, I decided to compose another index.js file to execute system commands and extract information, forwarding them to a Burp collaborator URL.
7. Uploaded the new index.js and monitored responses on my Burp collaborator. Ping backs with command execution outputs were received approximately an hour later.

8. Upon verifying all details, report the vulnerability to the private program. Draft the report and send it once the issue is resolved, resulting in a bounty award.

Timeline:

• March 10, 2024 - Discovery of missing package
• March 14, 2024 - Reporting the issue via HackerOne after reproducing the bug
• March 23, 2024 - Issue resolution and bounty award