How I hacked CTX and PHPass Modules

Preface

All this research DOES NOT contain any malicious activity. I want to show how this simple attack affects +10M users and companies. ALL THE DATA THAT I RECEIVED IS DELETED AND NOT USED. You can find my previous Research on Medium or Twitter. Also, I sent a report to GitHub on HackerOne and closed it as duplicated.

Summary

I takeover popular packages on PyPI, Composer, and Cargo just using the scraper tool. CTX and PhPass packages are the most popular I found, but a total of +10M users are affected if attackers take over all available packages. Let’s dive into how I did it?

Rust Package Registry

If you want to upload the package to Rust, you should connect your GitHub account to https://crates.io/. Then you can create your package. So basically If I find the author of the packages and the GitHub profile returns 404. I can create that GitHub Profile and take over that package.

crates.io has an API that contains information about the package and owners.

For Example, if you want to get information about the “rand” package.

I created a scraper that scrapes all Rust Packages and their URLs. After that, I use “jq” to analyze responses and get owners.

https://github.com/stedolan/jq

Lastly, the Bot checks if these owners do not exist, then it notifies me. Also, all these processes finished in a few days using free AWS EC2. Also, creates.io is crashed when I’m scraping all the data sorry for that.

Update: after further investigation, while the http://crates.io website can get confused by deleted and renamed GitHub accounts, it is not possible to take control over packages of deleted/renamed GitHub accounts.

Update 2: after further investigation, developers did not find any crashes on crates.io.

Python Package Index

If you want to upload the package to Python, you should create an account on https://pypi.org/account/register/. Then you can create your package. So I create a Bot that checks the GitHub Profile is existing and Owner Account Email. I use HTMLQ tool for parsing HTML response.After that, If GitHub Profile does not exist I can takeover that package, or If the Owner Account Email belongs to the company and that domain is not valid. I can take over that package too.

PyPI Create an account

CTX

CTX is A minimal but opinionated dict/object combo (like Bunch). The mail of the owner of the CTX package is figlief@figlief.com. Bot notifies me that domain is not valid so If I buy that domain I can send forgot password mail and take over the package.

PyPI Password reset

I checked manually is domain available using Google Domains

I paid 5 dollars to that domain and create “figlief” user. Now, I can send a forgot password mail to that email.

I changed my password and login that account. After that, I can add new versions, and change previous versions. I remember that Alex Birsan uploads new versions of the package of the private repositories. The Last version of CTX package is “0.1.2” so I upload “0.2” version and if the victim is used pip install ctx command to download the package, Victim downloads the “0.2” version. Then I wait 1 week to analyze how many users download specific versions. I use Pepy Tech for that mission. Also, it is open source.

https://pepy.tech/project/ctx

But my latest versions download less than “0.1.2” version so I thought that some packages use CTX package on “requirements.txt” file and I modify “0.1.2” version with mine code. If anyone uses “0.1.2” version, the victim uses my malicious package.

https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domain-takeover.html
https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domain-takeover.html

Composer

If you want to upload the package to Composer, you should create an account on https://packagist.org/register/ Then you can create your package. So I modify the Bot to check the GitHub Profile is existing and the Owner Account Email on packagist.org. After that, If GitHub Profile does not exist I can takeover that package, or If the Owner Account Email belongs to the company and that domain is not valid. I can take over that package too.

The Bot notifies me that the largest available package is PHPass with +2.5M Install. I checked that GitHub user does not exists so I create that account and create PHPass Repository and add my codes on __construct(mixed ...$values = ""): void. If someone use the package I will get notification on my development server.

NPMJS

I did not research NPM but the same attack is valid for that Package Manager.

Github Authentication Bypass

If someone wants to create a retired repository, GitHub does not allow that.

But I find a way to bypass that control. I want to create https://github.com/hautelook/phpass/ repository. So I changed my username to hautelook and creating phpass repository is not allowed. So I followed these steps.

  • Change username to a random string
  • Create phpass repository
  • Change username to hautelook

Now I created a valid repository and pushed my codes.

HackerOne Report

I sent the report on May 19th and show that I take over the PHPass repository and one day later my report is closed as a duplicate.

Results

  • 1000 Environment Variables received. Most of them is just spamming to increase the bill. But I use free version of Heroku so I don’t use my billing information on Heroku.
Thank you gruey !

All this research does not contain any malicious activity. I wonder what a simple Scraper Bot can cause.

  • CTX and PHPass packages are removed
  • Github user deleted
  • My Heroku Server and user shutdown
  • My Personal website is shutdown

Timeline

  • Unknown: Domain hosting email for ctx owner user account expired
  • 2022–05–10: Password reset attempted for ctx owner user account
  • 2022–05–14T18:40:05Z: Domain associated with ctx owner user account registered
  • 2022–05–14T18:52:40Z: ctx owner user account password successfully reset
  • 2022–05–14T19:18:36Z — 2022–05–21T12:41:57Z: Malicious versions of ctx project uploaded
  • 2022–05–15: HackerOne report sent
  • 2022–05–16: Report closed as duplicate
  • 2022–05–21T12:50:23.107588: Original benign versions of ctx removed from index

From : https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domain-takeover.html

Note0x1

I want to contribute PyPI, Crates.io, Packagist.org using my Scraper data to fix vulnerable packages. If you want to collaborate you can find contact information below.

Note0x2

If a package is stolen, don’t send an email to warn the author to Author Email. Thanks for your goodwill.

Remediation

I think the author of the project should not modify the oldest versions. For Example, I modify “0.1.2” version of CTX which is the most used version and downloaded ~5K in a day.

Also, GitHub did not fix the vulnerability that I mentioned.

Resources

There are many good resources about vulnerability.

Contact Me !

Twitter : https://twitter.com/aydinnyunuss

Github : https://github.com/aydinnyunus

LinkedIn : https://www.linkedin.com/in/aydinnyunus/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store