RCE due to a dependency confusion in bits-and-blooms/bloom

Valid

Reported on

May 5th 2022


Description

Hi team,

I hope you are well. I found a dependency confusion vulnerability in this repo.

When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/bits-and-blooms/bloom/blob/25ba46ef8744ddeba999dcd048dbb8b0fa87edb3/Makefile#L188

go get github.com/GoASTScanner/gas

I tested then this url and it was redirecting to https://github.com/securego/gosec. So, I tested if I can takeover the old username to cause a dependency confusion vulnerability. And this username was available to take and I take it for the PoC. But to not impact any users, I did the following step.

Proof of Concept

1.) I forked https://github.com/securego/gosec

2.) I changed the repo name from gosec to gas

3.) I changed my username from akincibor to GoASTScanner

4.) I re-changed my username from GoASTScanner to `akincibor

Now github.com/GoASTScanner/gas is redirecting to my repo github.com/akincibor/gas.

Everyone can make this url redirection to their own repo. They can also create a new Github account and take the old username without re-changing it.

Impact

As an attacker, I can host malicious content on my Github repository. I can also host an SDK or malware or a simple backdoor which can lead to an RCE because the malicious code will be installed and this is because my repo will be installed rather than the real one.

We are processing your report and will contact the bits-and-blooms/bloom team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the bits-and-blooms/bloom team and are waiting to hear back 9 months ago
bits-and-blooms/bloom maintainer gave praise 9 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a follow up to the bits-and-blooms/bloom team. We will try again in 7 days. 9 months ago
We have sent a second follow up to the bits-and-blooms/bloom team. We will try again in 10 days. 8 months ago
We have sent a third and final follow up to the bits-and-blooms/bloom team. This report is now considered stale. 8 months ago

Hi Jamie,

The issue has been fixed. May I have a CVE ?

Best regards, Akincibor

bits-and-blooms/bloom maintainer validated this vulnerability 4 months ago
<h1>Akincibor</h1>${7*7}{{7*7}} has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
bits-and-blooms/bloom maintainer marked this as fixed in 3.3.1 with commit 658f13 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
bits-and-blooms/bloom maintainer published this vulnerability 4 months ago
to join this conversation