Unauthorized Access and Content Modification in h20-r S3 Bucket which is used in .sh and docker file leads to spread of malicious R package which can lead to remote code execution in h2oai/h2o-3
Aug 14th 2023
During a source code review of the provided script, it has been identified that the code contains the "h20-r" S3 bucket, which was previously unclaimed and taken over for proof-of-concept (PoC) purposes. This unauthorized takeover introduces security risks including unauthorized access and potential content modification.
Steps To Reproduce:
- Create a s3 bucket with name h20-r and us east 1 region
- Upload files with the name same as given in the code (e.g. LiblineaR_1.94-2.tar.gz)
- Make the settings and change it as a static website
- You have successfully taken the s3 bucket and now when any user runs the code the url with s3 get executed and an attacker can spread dangerous malware.
Proof of Concept
- POC Link for the s3 bucket takeover :- https://h2o-r.s3.amazonaws.com/index.html
- Github link that shows the s3 bucket :- https://github.com/h2oai/h2o-3/blob/918af06003ef8e56db51669401fc0e7dad046f99/docker/setup-h2o-dev.sh#L51
The unauthorized takeover of the "h20-r" S3 bucket introduces the following potential impacts:
Unauthorized Access: The unauthorized modification of the S3 bucket allows unauthorized individuals to access the bucket's contents, potentially leading to data leakage or unauthorized usage.
Content Modification: Since the bucket's content has been changed, any code, files, or data retrieved from the bucket may be malicious or untrustworthy. This could lead to unintended code execution on systems that rely on the content from this bucket.
Supply Chain Attack: By altering the original content in the S3 bucket, an attacker could perform a supply chain attack. Users executing the script may unknowingly install malicious or compromised versions of packages, introducing security vulnerabilities.