GitHub flaw could allow attackers to take over other users’ repositories
A serious flaw in cloud-based repository hosting service GitHub could allow attackers to take over other repositories.
Cloud-based repository hosting service GitHub has addressed a vulnerability that could have been exploited by threat actors to take over other users’ repositories.
The vulnerability, discovered by Checkmarx, is known as the attack technique RepoJacking. This technique could allow attackers to infect all applications and code in the repository.
“The Checkmarx SCS (Supply Chain Security) team discovered a vulnerability in GitHub that could allow an attacker to take control of a GitHub repository and potentially infect all applications and other code that depend on it with malicious code.” Read the post published by Checkmarx . “Without a clear inclination, all renamed usernames on GitHub are vulnerable to this vulnerability, including over 10,000 packages on the Go, Swift and Packagist package managers. This means that thousands of packages could be would be immediately hijacked and begin serving malicious code to millions of users.”
The researchers discovered the vulnerability in the “popular repository namespace retirement” mechanism and developed an open-source tool to identify and help reduce the risk of exploiting the vulnerability in the mechanism.
In a RepoJacking attack, the attacker obtains the old username of the repository after the legitimate creator changes the username, and then publishes a rogue repository of the same name to trick users into downloading its content.
Github introduced a “popular repository namespace retirement” mechanism to prevent RepoJacking. According to security measures, any repository with more than 100 clones when its user account is renamed is considered “retired” and cannot be used by others.
The combination of username and repository name is considered “retired”.
Checkmark researchers discovered the following bypasses that abuse the “repository transfer” feature:
- “victim/repo” is a popular GitHub repository decommissioned under the umbrella of “Popular Repository Namespace Retirement”.
- “helper_account” create “Repurchase” repository
- “helper_account” transfer ownership “Repurchase” repository to “Attacker account.”
- “attacker account” rename its username to “victim.”
- new “victim” account (previously “attacker account”) to accept the transfer of ownership
Namespaces “victim/repo” Now under the attacker’s control
Successful exploitation of the vulnerability could allow an attacker to push a repository containing malicious code and launch a supply chain attack using the renamed username.
“As previously shown by bypassing this protection, a successful exploit can take over popular code packages in multiple package managers, including ‘Packagist’, ‘Go’, ‘Swift’, etc. We’ve discovered in these package managers Over 10,000 packages with renamed usernames are at risk of being attacked by this technique if new bypasses are discovered.” The report concludes.
“Furthermore, exploiting this bypass could also lead to the takeover of popular GitHub actions that can also be used by specifying GitHub namespaces. Poisoning popular GitHub actions could lead to a major supply chain attack with significant impact.”
Here is the timeline for this issue:
- 11/1/21 – We found a way to bypass the GitHub namespace deactivation feature
- 11/8/21 – We disclosed bypass discovery to GitHub
- 11/8/21 – GitHub admits to bypass and replies that they are working on a fix
- 3/24/22 – GitHub responds that they have fixed the bypass
- 5/11/22 – We found that the bypass is still exploitable and reported to GitHub
- 5/23/22 – found this attack to be effective against open source attacks
- 5/25/22 – The technique was released by a security researcher responsible for the attack and fixed by GitHub shortly after
- 06/13/22 – We discovered an additional vulnerability that bypassed the GitHub namespace deactivation feature and reported it to the company
- 9/19/22 – GitHub fixed the vulnerability, classified it as “High” severity, and awarded us a bug bounty
- 10/26/22 – Full Disclosure
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
(security affairs – hacking, repo hijacking)
share