Component of PHP Packagist package manager vulnerable to compromise


Ben Dickson October 05, 2022 at 14:38 UTC

Updated: October 05, 2022 at 14:45 UTC

An argument injection bug posed an RCE risk

One of the important components of Composer, the main package manager for PHP applications, contained a vulnerability that could have been exploited to attack coding repositories, researchers at SonarSource have found.

Packagist, the vulnerable component, allows Composer to determine and download software dependencies that software developers include in their projects. Composer serves around two billion software packages every month.

The vulnerability could potentially have been exploited to distribute malicious backdoor packages to servers, a tech blog post by SonarSource explains.

A estimated 3,500,000 dependencies were threatened by the security breach.

Fortunately, the vulnerability was fixed by project officials just hours after it was reported.

Argument injection

New bug comes a year after SonarSource was discovered and reported another supply chain attack vulnerability in Packagist. The previous bug affected classes that interact with version control systems (VCS) such as Git, Mercurial, and Subversion to resolve dependencies from code repositories.

Although this vulnerability was patched by Packagist maintainers, SonarSource researchers discovered that other parts of implementations of the same class were still subject to potential attacks.

“Our previous research helped us quickly navigate to the juicy sections of the code base, but at the same time, we missed this bug multiple times while reviewing code and fixes related to our previous discovery”, Thomas Chauchefoin, vulnerability researcher at SonarSource, says The daily sip.

To display package information, Packagist reads the contents of or a user-specified file in the code repository. Packagist contains separate implementations for retrieving file data from different VCS systems. Each of these implementations composes a shell command that includes the contents of the file supplied by the user.

According to SonarSource, if an attacker inserted malicious commands into the info file, they would be inserted as arguments into the shell command executed on the system. And although Packagist uses escape mechanisms to stop malicious code, it left some loopholes open.

Supply chain attack

In a proof-of-concept video, the researchers show how the vulnerability can be exploited to execute arbitrary commands on the server.

The attacker could abuse the bug to modify the definition of a package and point it to an unintended destination, tainting the software development pipeline in the process.

“Defending against argument injection bugs is very unusual compared to any technique we’ve offered developers over the past decade, and I think that’s why we’ve found a lot of them,” said commented Chauchefoin.

“Third-party data can be encoded, escaped, and tightly validated, but that’s often not enough!”

Protect yourself

The bug was fixed shortly after SonarSource reported it to Packagist. If you are using the official default instance of Packagist or Private Packagist, you are already safe. If you have integrated Composer as a library and are working on untrusted repositories, you should upgrade to one of the patched versions of the library.

“Nothing has changed in the year since our previous discovery, which is understandable as these are vital projects with years of work behind them,” Chauchefoin said.

“Enforcing features such as signing any build artifact (i.e. packages) would likely introduce non-trivial changes to the workflows of millions of developers.”

Meanwhile, Chauchefoin expressed hope that greater traction around new standards like sigstore could help mitigate the risks of supply chain attacks.

“Ideally, package managers should just be conduits between package maintainers and users, and there should be no way to tamper with what’s going around inside. Signing everything is key, and sigstore makes it much more affordable,” he said.

RELATED Nepxion Discovery software with Spring Cloud feature fails to fix RCE, info leak bugs


Comments are closed.