jmg
/
blog
1
0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 0 Wiki Attività
The blog.
Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
89 Commit
1 Ramo (Branch)
4.6 MiB
 
 
 
 
Albero (Tree): bf2a50757e
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da 'bf2a50757e'
${ noResults }
blog/content/2021/07/CODEpendence-github.html

109 righe
4.9 KiB
Originale Blame Cronologia 

  1. ---

  2. title: CODEpendence

  3. description: >

  4.   How to surreptitiouslyinject code via submodules that use GitHub repos

  5. created: !!timestamp '2021-07-07'

  6. time: 11:16 AM

  7. tags:

  8.   - security

  9.   - GitHub

  10.   - git

  11. ---

  12. 

  13. TL;dr: If you use submodules that point to a GitHub repo, make sure

  14. that the commit id matches an offical branch or tag, especially if

  15. upgraded via a PR or submitted patch.

  16. 

  17. This issue was disclosed to GitHub via the HackerOne Bug Bounty

  18. program and resolved by them in a timely manner.  The

  19. [writeup](https://www.funkthat.com/~jmg/github.submodules.hash.txt) is

  20. available and is the same one that was provided to GitHub.  It contains

  21. the complete steps in more detail than this blog post does.

  22. 

  23. Discovery

  24. ---------

  25. 

  26. Earlier this year, I was dealing with a git repo that used submodules.

  27. I've never been a fan of them due to the extra work involved in using

  28. them.  But then a thought hit me, last year, when GitHub took down

  29. youtube-dl, someone was a bit sneaky and inserted a [copy of it into

  30. GitHub's DMCA repo](https://www.reddit.com/r/programming/comments/jhlhok/someone_replaced_the_github_dmca_repo_with/).

  31. They were able to do this because there is a feature/bug in GitHub's

  32. backend, that all the commits to a forked repo are accessible in the

  33. parent repo, it's just that the branches and tags are maintained

  34. separately.<label for="sn-reason" class="margin-toggle sidenote-number">

  35. </label><input type="checkbox" id="sn-reason" class="margin-toggle"/>

  36. <span class="sidenote">This makes sense to reduce storing duplicate data

  37. if a repo is large or has many forks.</span>

  38. 

  39. 

  40. Verification

  41. ------------

  42. 

  43. The next question, would combining these into an attack even work?

  44. What would things look like?  I created a few accounts to test them,

  45. creating a project to represent a code dependancy,

  46. [depproj](https://github.com/upstream123/depproj), that would be

  47. imported into another project by another user,

  48. [proj](https://github.com/comproj/proj).  Then once those were created,

  49. have a malicious user create a fork of both the

  50. [deprpoj](https://github.com/maliciousrepo/depproj) and the

  51. [proj](https://github.com/maliciousrepo/proj).

  52. 

  53. Once the malicious forks were created, clone them locally.  With the

  54. clones, malicious [code can be

  55. inserted](https://github.com/maliciousrepo/depproj/commit/91781e4b9e1b1c944e19db740db12304755666b5)

  56. into the depproj repo.  If you look at the repo, the previous commit

  57. was done as the maliciousrepo user, but while I was working on this,

  58. I remembered that w/ git, you can set the commit author to be anything

  59. (signing helps prevent that), so this commit appears to be done by the

  60. correct upstream123 user.

  61. 

  62. Once the malicious code has been inserted, the malicious user can now

  63. update the submodule of the project to the commit id of the malicious

  64. code.  This is done simply by doing:

  65. ```

  66. cd depproj

  67. git fetch origin <commitid>

  68. git checkout <commitid>

  69. ```

  70. 

  71. Even though the depproj still points to the upstream123 repo, because

  72. fork commits appear IN the depproj repo, the above works w/o any other

  73. changes.  This is also what makes it dangerous, because the repo is not

  74. changed, it can be disguised as a simple version update.

  75. 

  76. A [PR](https://github.com/comproj/proj/pull/3) is then submitted to the

  77. project being attacked.  I did not control the author of commits as

  78. well as I should have, but it still is effective.  If you click into

  79. the proposed change, and then click on code.c, the file changed, it'll

  80. bring you to the [change compare

  81. view](https://github.com/upstream123/depproj/compare/91781e4b9e1b1c944e19db740db12304755666b5...370d35ec5df81a16bb361111faeb665ea90de026#diff-e43700a08429a0231daba9a49ff36a118566849856da2811ae074417ebb552d0).

  82. For this demo, it was a small change, but if the project is large, it's

  83. would be easy to bury a minor flaw in lots of changes.  The other thing

  84. to note about this page is that the author displayed is NOT the author

  85. of the change, but it appears that it is a legitimate change by the

  86. author of the repo. [![Screenshot of github comparing changes with a popup of the author showing the author owns this repository and committed to this repository.]([[!!images/codependence-comp-author.png]])]({{ media_url('images/codependence-comp-author.png') }})

  87. 

  88. Conclusion

  89. ----------

  90. 

  91. This is an interesting attack in that it leverages two features in a

  92. way that has surprising results.  It demonstrates that software

  93. dependancies need to be reviewed, and vetted, and that if you're using

  94. GitHub, that just because a PR says it's updating a submodule to the

  95. new version, it doesn't mean that it is safe to simply merge in the

  96. change.

  97. 

  98. 

  99. Timeline

  100. --------

  101. 

  102. 2021-03-31 -- Reported to GitHub via HackerOne.<br>

  103. 2021-03-31 -- More info requested and provided.<br>

  104. 2021-04-01 -- Ack'd issue and started work on fix.<br>

  105. 2021-05-04 -- GitHub determined it was low risk, but did add warning when viewing commit.<br>

  106. 2021-05-05 -- Asked GitHub for disclosure timeline.<br>

  107. 2021-06-04 -- Pinged GitHub again.<br>

  108. 2021-07-07 -- Published blog post.<br>