Information Security

Hacking OWASP’s Juice Shop Pt. 62: Supply Chain Attack

Posted on by codeblue04

Challenge: 

Name:  Supply Chain Attack

Description: Inform the development team about a danger to some of their credentials. (Send them the URL of the original report or an assigned CVE or another identifier of this vulnerability)

Difficulty: 5 star

Category: Vulnerable Components

Expanded Description: https://pwning.owasp-juice.shop/part2/vulnerable-components.html

Tools used:

None

Resources used:

www.snyk.io/vuln

Methodology: 

In the expanded description for this challenge there are three clues: The developers, not the customers, are the target of this attack, this is simply a research challenge, and having access to the Developer Backup will save time.

Knowing roughly what a supply chain attack is, how severe they are, and also having spent quite a bit of time during previous challenges finding vulnerable libraries in the developer’s backup file, I had a fairly short list of possible culprits.

After clicking on the vulnerability to check it out, I found two listed posts describing the issue and its mitigation. The vulnerability is apparently so bad that it is recommended that elsint-scope should be removed from all projects entirely, and it’s easy to understand why. Automatically downloading malware from pastebin coupled with remote code execution is a scary combination.

@ ESLint Q Search the docs... User guide Postmortem for Malicious Packages Published on July 12th, 2018 Summary On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the -eslint-scope- and eslint- config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from -pastebin.com which sent the contents of the user's l.npmrc file to the attacker. An I . npmrcj file typically contains access tokens for publishing to npm. The malicious package versions are I es1int-scope@3.7.2 and glint-config-es1int@5.0.2' both of which have been unpublished from npm. The pastebin.com. paste linked in these packages has also been taken down.
eslint/ eslint-scope Code O Issues 8 Pull requests @ Actions CO Projects C) Security Insights Virus in eslint-scope? 39 C Closed pronebird opened this issue on Jul 12, 2018 • 92 comments pronebird commented on Jul 12, 2018 • edited by hzoo Updated blog post: https://eslint.org/blog/2018/07/postmortem-for-malicious- package-publishes Update from the maintainers Incident status report from npm Please follow the comment by @platinumazure that gives a little insight into what happened: #39 (comment) It also appears that the same code was published in eslint-config-eslint@5.0.2, which has also since been unpublished. See eslint/eslint#10600 for more information.

Here I had a touch of trouble figuring out what the challenge solution format was, but as I was certain I’d found the right vulnerability I didn’t feel too bad about checking the Solution Guide to find out what to enter into the feedback form.

Customer Feedback - Author — anonymous Comment https://github.com/eslint/eslint-scope/issues/39 O Max. 160 characters 48/160 Rating CAPTCHA: 22 What is 7+5*3 ? Submit
You successfully solved a challenge: Supply Chain Attack (Inform the development team about a danger to some of their credentials. (Send them the URL of the original report or an assigned CVE or another identifier of this vulnerability)) x

Prevention and Mitigation Strategies:

OWASP Vulnerable Dependency Management Cheat Sheet

Keep up to date on vulnerabilities found in the libraries you’re using. When one is found to be as vulnerable as eslint-scope was, do whatever is necessary to immediately remove it from your projects. A quick and easy way to determine the severity of listed vulnerabilities is to check the CVSS score. If it’s a 9, remove the package. If it’s a 4, maybe it’s not quite as urgent, but should still be updated to a new version or replaced in a timely manner.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s