RCE due to a dependency confusion in openziti/ziti
May 5th 2022
I hope you are well. I found a dependency confusion vulnerability in this repo.
When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/openziti/ziti/blob/271614d50df5535cf99ad0882649ae0ef7bb88a2/ziti/Makefile#L155
go get github.com/GoASTScanner/gas
I tested then this url and it was redirecting to https://github.com/securego/gosec. So, I tested if I can takeover the old username to cause a dependency confusion vulnerability. And this username was available to take and I take it for the PoC. But to not impact any users, I did the following step.
Proof of Concept
1.) I forked https://github.com/securego/gosec
2.) I changed the repo name from gosec to gas
3.) I changed my username from akincibor to GoASTScanner
4.) I re-changed my username from GoASTScanner to `akincibor
Now github.com/GoASTScanner/gas is redirecting to my repo github.com/akincibor/gas.
Everyone can make this url redirection to their own repo. They can also create a new Github account and take the old username without re-changing it.
As an attacker, I can host malicious content on my Github repository. I can also host an SDK or malware or a simple backdoor which can lead to an RCE because the malicious code will be installed and this is because my repo will be installed rather than the real one.