RCE due to a dependency confusion in openziti/ziti

Valid

Reported on

May 5th 2022


Description

Hi team,

I hope you are well. I found a dependency confusion vulnerability in this repo.

When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/openziti/ziti/blob/271614d50df5535cf99ad0882649ae0ef7bb88a2/ziti/Makefile#L155

go get github.com/GoASTScanner/gas

I tested then this url and it was redirecting to https://github.com/securego/gosec. So, I tested if I can takeover the old username to cause a dependency confusion vulnerability. And this username was available to take and I take it for the PoC. But to not impact any users, I did the following step.

Proof of Concept

1.) I forked https://github.com/securego/gosec

2.) I changed the repo name from gosec to gas

3.) I changed my username from akincibor to GoASTScanner

4.) I re-changed my username from GoASTScanner to `akincibor

Now github.com/GoASTScanner/gas is redirecting to my repo github.com/akincibor/gas.

Everyone can make this url redirection to their own repo. They can also create a new Github account and take the old username without re-changing it.

Impact

As an attacker, I can host malicious content on my Github repository. I can also host an SDK or malware or a simple backdoor which can lead to an RCE because the malicious code will be installed and this is because my repo will be installed rather than the real one.

We are processing your report and will contact the openziti/ziti team within 24 hours. 23 days ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 22 days ago
We have contacted a member of the openziti/ziti team and are waiting to hear back 21 days ago
We have sent a follow up to the openziti/ziti team. We will try again in 7 days. 18 days ago
openziti/ziti maintainer
18 days ago

Thank you for this report. It would appear to be a valid issue and has been addressed. This make file is no longer in use and has been removed. The change will make it to the main branch on the next release.

openziti/ziti maintainer modified the Severity from High to Low 18 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
openziti/ziti maintainer validated this vulnerability 18 days ago
akincibor has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
openziti/ziti maintainer confirmed that a fix has been merged on e57044 18 days ago
The fix bounty has been dropped
to join this conversation