Few days ago news broke that a critical vulnerability has been identified en the dependency manager of Compose (CVE-2021-29472) that allows you to execute arbitrary commands on the system when processing a package with a specially formed URL value that determines the direction to download the source code.
The problem manifests itself in the GitDriver, SvnDriver and HgDriver components used with the Git, Subversion, and Mercurial source control systems. The vulnerability was fixed in Composer versions 1.10.22 and 2.0.13.
In particular, Composer's default Packagist package repository, which contains 306.000 PHP developer packages and offers more than 1.400 billion downloads per month, is particularly affected.
In the PHP ecosystem, Composer is the main tool for managing and installing software dependencies. Development teams around the world use it to ease the upgrade process and ensure applications run effortlessly across all environments and versions.
The experiment showed that if there was information about the problem, the attackers could take control of the Packagist infrastructure and intercept the credentials of the maintainers or redirect the download of packages to a third-party server, arranging the delivery of package variants with changes. malicious users to replace a backdoor during dependency installation.
The danger to end users is limited due to the fact that the content of composer.json is usually defined by the user and the links to the source are passed when accessing third-party repositories, which are usually reliable. The main blow fell on the Packagist.org repository and the Private Packagist service, that call Composer with the transfer of data received from users. Attackers could run their code on Packagist servers by dropping a specially crafted package.
The Packagist team resolved the vulnerability within 12 hours of notification of vulnerability. Researchers privately notified Packagist developers on April 22, and the issue was fixed the same day. A public Composer update with a fix for the vulnerability was released on April 27, and details were revealed on April 28. An audit of the logs on Packagist's servers did not reveal any suspicious activity associated with the vulnerability.
Argument injection errors are a really interesting class of errors that are often overlooked during code reviews and completely overlooked in black box interactions.
The problem is caused by an error in the URL validation code in the root composer.json file and in the source download links. The bug has been present in code since November 2011. Packagist uses special layers to manage code downloads without being bound to a specific source control system, which is executed by calling "fromShellCommandline" with command line arguments.
The heart of the problem is that the ProcessExecutor method allowed to specify any additional call parameters in the URL. Such an escape was missing from the GitDriver.php, SvnDriver.php and HgDriver.php drivers. The GitDriver.php attack was hampered by the fact that the "git ls-remote" command did not support specifying additional arguments after the path.
An attack on HgDriver.php was made possible by passing the "–config" parameter to the "hq" utility, which allows organizing the execution of any command by manipulating the "alias.identify" configuration.
By submitting a test package with a similar URL to Packagist, the researchers ensured that after it was published, their server received an HTTP request from one of the Packagist servers on AWS that contained a list of the files in the current directory. .
It should be noted that the maintainers did not identify any signs of prior exploitation of this vulnerability in the public instance of the packagist.
Finally, if you are interested in knowing more about it, you can consult the details In the following link.