RCE due to a dependency confusion in openziti/ziti
Reported on
May 5th 2022
Description
Hi team,
I hope you are well. I found a dependency confusion vulnerability in this repo.
When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/openziti/ziti/blob/271614d50df5535cf99ad0882649ae0ef7bb88a2/ziti/Makefile#L155
go get github.com/GoASTScanner/gas
I tested then this url and it was redirecting to https://github.com/securego/gosec. So, I tested if I can takeover the old username to cause a dependency confusion vulnerability. And this username was available to take and I take it for the PoC. But to not impact any users, I did the following step.
Proof of Concept
1.) I forked https://github.com/securego/gosec
2.) I changed the repo name from gosec to gas
3.) I changed my username from akincibor to GoASTScanner
4.) I re-changed my username from GoASTScanner to `akincibor
Now github.com/GoASTScanner/gas is redirecting to my repo github.com/akincibor/gas.
Everyone can make this url redirection to their own repo. They can also create a new Github account and take the old username without re-changing it.
Impact
As an attacker, I can host malicious content on my Github repository. I can also host an SDK or malware or a simple backdoor which can lead to an RCE because the malicious code will be installed and this is because my repo will be installed rather than the real one.
SECURITY.md
a year ago
Thank you for this report. It would appear to be a valid issue and has been addressed. This make file is no longer in use and has been removed. The change will make it to the main branch on the next release.