Entry points threaten multiple open-source ecosystems
Oct 14, 2024
While current tools have improved at detecting common tactics for exploiting open-source packages, a feature remains largely overlooked: entry points.
Security researchers at Checkmarx uncovered how attackers can leverage entry points across multiple programming ecosystems, with a particular focus on PyPI, to trick victims into running malicious code. This method – while not allowing for immediate system compromise – offers a subtler approach for patient attackers to infiltrate systems, potentially evading standard security measures.
Entry points, a powerful feature for exposing package functionality, are vulnerable to exploitation across various ecosystems including PyPI (Python), npm (JavaScript), Ruby Gems, NuGet (.NET), Dart Pub, and Rust Crates. Attackers can leverage these entry points to execute malicious code when specific commands are run, posing a widespread risk.
The researchers identified several attack methods, including “command-jacking” – impersonating popular third-party tools and system commands – and targeting various stages of the development process through malicious plugins and extensions. Each approach carries varying levels of potential success and detection risk.
One particularly insidious technique is “command wrapping”. Instead of simply replacing a command, this involves creating an entry point that acts as a wrapper around the original command. The malicious entry point is triggered when the user calls the command, silently executing the attacker’s code before calling the legitimate command with all the user’s arguments. This method is especially dangerous as it maintains the appearance of normal operation, making the attack extremely difficult to detect through normal use.
The researchers demonstrated how a malicious pytest plugin could compromise the integrity of the entire testing process. By manipulating pytest’s assertion handling, an attacker could cause all equality checks to pass regardless of their actual values, leading to false positives in test results and allowing buggy or vulnerable code to pass quality checks unnoticed.
Similarly, popular development tools like Flake8 could be targeted. An attacker might create a malicious extension disguised as helpful linting rules, allowing them to perform harmful actions on the victim’s system, inject malicious “fixes” into the code, or manipulate linting results to hide or create issues.
The researchers also noted that the increasing prevalence of Python wheels (.whl files) presents a unique challenge. While .whl files don’t execute setup.py during installation, making it traditionally more difficult for attackers to achieve arbitrary code execution, the entry point attack method provides a workaround for this limitation.
“Many security tools focus on analysing execution of preinstall scripts during installation, which are typically associated with .tar.gz files,” the researchers explained. “As a result, they may miss malicious code in packages distributed as .whl files, especially when the malicious behaviour is triggered through entry points rather than immediate execution.”
The researchers emphasised the importance of developing comprehensive security measures that account for the exploitation of entry points. By understanding and addressing these risks, the industry can work towards a more secure Python packaging environment, safeguarding both individual developers and enterprise systems against sophisticated supply chain attacks.
(Photo by Jason Dent)
See also: Open Source Pledge aims to fund software maintainers
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
Tags: coding, command wrapping, command-jacking, cyber security, cybersecurity, dart pub, entry points, hacking, JavaScript, npm, nuget, open source, open-source, packages, programming, pypi, python, rust, rust crates, security, supply chain