jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
107 Commits
1 Branch
4.6 MiB
 
 
 
 
Branch: main
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'main'
${ noResults }
blog/content/2021/07/CODEpendence-github.html

110 lines
4.9 KiB
Raw Permalink Blame History 

  1. ---

  2. title: CODEpendence

  3. description: >

  4.   How to surreptitiouslyinject code via submodules that use GitHub repos

  5. posted: !!timestamp '2021-07-07'

  6. created: !!timestamp '2021-07-07'

  7. time: 11:16 AM

  8. tags:

  9.   - security

  10.   - GitHub

  11.   - git

  12. ---

  13. 

  14. TL;dr: If you use submodules that point to a GitHub repo, make sure

  15. that the commit id matches an offical branch or tag, especially if

  16. upgraded via a PR or submitted patch.

  17. 

  18. This issue was disclosed to GitHub via the HackerOne Bug Bounty

  19. program and resolved by them in a timely manner.  The

  20. [writeup](https://www.funkthat.com/~jmg/github.submodules.hash.txt) is

  21. available and is the same one that was provided to GitHub.  It contains

  22. the complete steps in more detail than this blog post does.

  23. 

  24. Discovery

  25. ---------

  26. 

  27. Earlier this year, I was dealing with a git repo that used submodules.

  28. I've never been a fan of them due to the extra work involved in using

  29. them.  But then a thought hit me, last year, when GitHub took down

  30. youtube-dl, someone was a bit sneaky and inserted a [copy of it into

  31. GitHub's DMCA repo](https://www.reddit.com/r/programming/comments/jhlhok/someone_replaced_the_github_dmca_repo_with/).

  32. They were able to do this because there is a feature/bug in GitHub's

  33. backend, that all the commits to a forked repo are accessible in the

  34. parent repo, it's just that the branches and tags are maintained

  35. separately.<label for="sn-reason" class="margin-toggle sidenote-number">

  36. </label><input type="checkbox" id="sn-reason" class="margin-toggle"/>

  37. <span class="sidenote">This makes sense to reduce storing duplicate data

  38. if a repo is large or has many forks.</span>

  39. 

  40. 

  41. Verification

  42. ------------

  43. 

  44. The next question, would combining these into an attack even work?

  45. What would things look like?  I created a few accounts to test them,

  46. creating a project to represent a code dependancy,

  47. [depproj](https://github.com/upstream123/depproj), that would be

  48. imported into another project by another user,

  49. [proj](https://github.com/comproj/proj).  Then once those were created,

  50. have a malicious user create a fork of both the

  51. [deprpoj](https://github.com/maliciousrepo/depproj) and the

  52. [proj](https://github.com/maliciousrepo/proj).

  53. 

  54. Once the malicious forks were created, clone them locally.  With the

  55. clones, malicious [code can be

  56. inserted](https://github.com/maliciousrepo/depproj/commit/91781e4b9e1b1c944e19db740db12304755666b5)

  57. into the depproj repo.  If you look at the repo, the previous commit

  58. was done as the maliciousrepo user, but while I was working on this,

  59. I remembered that w/ git, you can set the commit author to be anything

  60. (signing helps prevent that), so this commit appears to be done by the

  61. correct upstream123 user.

  62. 

  63. Once the malicious code has been inserted, the malicious user can now

  64. update the submodule of the project to the commit id of the malicious

  65. code.  This is done simply by doing:

  66. ```

  67. cd depproj

  68. git fetch origin <commitid>

  69. git checkout <commitid>

  70. ```

  71. 

  72. Even though the depproj still points to the upstream123 repo, because

  73. fork commits appear IN the depproj repo, the above works w/o any other

  74. changes.  This is also what makes it dangerous, because the repo is not

  75. changed, it can be disguised as a simple version update.

  76. 

  77. A [PR](https://github.com/comproj/proj/pull/3) is then submitted to the

  78. project being attacked.  I did not control the author of commits as

  79. well as I should have, but it still is effective.  If you click into

  80. the proposed change, and then click on code.c, the file changed, it'll

  81. bring you to the [change compare

  82. view](https://github.com/upstream123/depproj/compare/91781e4b9e1b1c944e19db740db12304755666b5...370d35ec5df81a16bb361111faeb665ea90de026#diff-e43700a08429a0231daba9a49ff36a118566849856da2811ae074417ebb552d0).

  83. For this demo, it was a small change, but if the project is large, it's

  84. would be easy to bury a minor flaw in lots of changes.  The other thing

  85. to note about this page is that the author displayed is NOT the author

  86. of the change, but it appears that it is a legitimate change by the

  87. author of the repo. [![Screenshot of github comparing changes with a popup of the author showing the author owns this repository and committed to this repository.]([[!!images/codependence-comp-author.png]])]({{ media_url('images/codependence-comp-author.png') }})

  88. 

  89. Conclusion

  90. ----------

  91. 

  92. This is an interesting attack in that it leverages two features in a

  93. way that has surprising results.  It demonstrates that software

  94. dependancies need to be reviewed, and vetted, and that if you're using

  95. GitHub, that just because a PR says it's updating a submodule to the

  96. new version, it doesn't mean that it is safe to simply merge in the

  97. change.

  98. 

  99. 

  100. Timeline

  101. --------

  102. 

  103. 2021-03-31 -- Reported to GitHub via HackerOne.<br>

  104. 2021-03-31 -- More info requested and provided.<br>

  105. 2021-04-01 -- Ack'd issue and started work on fix.<br>

  106. 2021-05-04 -- GitHub determined it was low risk, but did add warning when viewing commit.<br>

  107. 2021-05-05 -- Asked GitHub for disclosure timeline.<br>

  108. 2021-06-04 -- Pinged GitHub again.<br>

  109. 2021-07-07 -- Published blog post.<br>