RootedCON https://www.rootedcon.com Marzo/March 5-7 2020 Madrid (Spain)

1. Deceiving software developers through software
libraries
The day I ruled the world:
Cybersecurity Group UAH

2. $ whoami
Javier Junquera Sánchez
Cybersecurity researcher & lecturer
2
Carlos Cilleruelo Rodríguez
Cybersecurity researcher
javier.junquera@uah.es
@junquera
/in/junquera
carlos.cilleruelo@uah.es
@carloslannister
/in/carlos-cilleruelo/

3. ProTego
https://protego-project.eu/
@protego_project
3
Research and innovation programme under grant agreement No. 826284

4. Introduction
➔ Rooted 2019
➔ Homograph attacks
➔ Deep confusables
(dataset)
4

5. Introduction
5

6. Background
● How many apps have problems with
homograph attacks?
● How developer software is dealing with it?
○ IDEs
○ Text Editor
○ Programing languages
6

7. Background
➔ April 11, 2018
➔ Still not solved
◆ Whatsapp
◆ Telegram
7

8. Bounties?
8

9. Twitter
9

10. Steam and Facebook
10

11. 11
IDEs, Text Editors and Terminals

12. Why developers?
12

13. Nodemon
13

14. Nodemon
14

15. IDEs, Text Editors and Terminals
15

16. Open Source
● Ok, I can use it in an IDE, but...
● How could I deliver it?
○ Open Source!
16

17. Homograph libraries
17

18. pip
pip install git+https://github.com/django/django.git@45dfb3641aa4d9828a7c
18

19. GitLab
19

20. GitLab
20

21. Github
21

22. Package managers
22

23. Uploading libraries
23

24. Package creation
➔ NodeJS
◆ package.json
24

25. Package creation
➔ Python
◆ setup.py
25

26. Package creation
➔ Python
◆ setup.py
26

27. Package creation
➔ Python
◆ setup.py
27

28. Uploading
# NEVER USE THIS DEPENDENCY
It's a security test
A bad copy of {original_name} for
testing homographic vulnerabilities.
28

29. Uploading
● We were testing uploading packages
● But then…
29

30. Fuzzer
➔ Homographic
➔ Homophonic
➔ Truncation
➔ Permutation
➔ Duplication
➔ Upper/Lower characters
➔ Similar characters
➔ “Advanced”
◆ Spaces
◆ LTR/RTL
30

31. Fuzzer
➔ change_similar(homográficos,h𝐨mográficos,changing o by
b'xf0x9dx90xa8')
➔ homophonic(homofonicos,houmoufounicous,o sounds like ou)
➔ gen_deletions(truncar,tuncar,0, 1)
➔ gen_permutations(permutar,premutar,permuting char at 1)
➔ duplicates(duplicar,dupplicar,2)
➔ gen_case(caselogic,caseloGic,6)
➔ add_spaces(spaces,s<U+180E>paces,inserting space
b'xe1xa0x8e' at position 1)
➔ rtl(ltr,<U+202D>rtl,inserting b'e280ad' at position 0)
31

32. Fuzzer
32
Ok... , so what’s next? :)

33. Uploading
➔ Let's upload everything
◆ UNICODE not allowed :(
◆ “Spaces not allowed”
◆ But… everything else:
● No limit, no control :)
◆ Remember academia
33

34. Dependencies selection
● Top 10
○ PyPI
○ NPM
● Some we consider complicated to write
○ Who t.f. chose psycopg2-binaries?
34

35. Packages creation
You have commited an error installing
the dependency `{original_name}`,
and have installed `{new_name}`.
If `{new_name}` had mailicious code,
you would have been pwned.
This file has been generated by
`{new_name}` for advertising you, and
we have no made any change in your
system.
35
Fix: you just need to delete the
dependency
`{new_name}` and
install `{original_name}`.
{new_name} is part of a research
about
attack in dependecies names.
For more information about it
contact javier@junquera.xyz

36. Telemetry
➔ User profile (Root | Not)
➔ Package manager (pypi | npm)
➔ Original name
➔ Modified name
➔ OS version
➔ Country, ~City (RGPD IP)
◆ It is difficult asking for consent :)
36

37. 37
And once uploaded…
Don’t worry…

38. 38
00:00

39. 39
01:00

40. 40
02:00

41. 41
03:00

42. 42
04:00

43. 43
05:00

44. 44
06:00

45. 45
07:00

46. 46
08:00

47. 47
09:00

48. 48
10:00

49. 49
11:00

50. 50
12:00

51. 51
13:00

52. 52
14:00

53. 53
15:00

54. 54
16:00

55. 55
17:00

56. 56
18:00

57. 57
19:00

58. 58
20:00

59. 59
21:00

60. 60
22:00

61. 61
23:00

62. 62
> 800 hours

63. 63
Goodbye
➔ (Delete | Try to delete)
the uploaded packages
➔ Shutdown the API
➔ Then, we start to study the
obtained data

64. Fuzzing results
64
node dependency Names generated
bootstrap 1449
commander 1068
prop-types 1043
express 868
lodash 811
request 798
moment 758
chalk 595
react 580
async 548
debug 520
python dependency Names generated
python-dateutil 1693
botocore 1416
s3transfer 1052
urllib3 1003
requests 950
certifi 947
psycopg2 862
pyyam1 769
pyasn1 600
pip 441
six 361

65. Infection results
65
Attack type Infections Ratio
Truncation 361 43.07%
Permutation 281 33.53%
Duplication 115 13.72%
Homophonic 68 8.11%
Similar characters 11 1.31%
Upper/Lower characters 2 0.23%
Total attacks 838 100%

66. PyPI infection results
66
Changed name Original name Attack type Downloads
pyscopg2 psycopg2 permutation 53
syx six homophonic 44
nump numpy truncation 27
psycopg-binary psycopg2-binary truncation 19
reqeusts requests permutation 18
psycog2 psycopg2 truncation 14
urllib3_ urllib3 spaces 12
pyscopg2-binary psycopg2-binary permutation 12
pycopg2 psycopg2 permutation 12
psycop2-binary psycopg2-binary truncation 11

67. npm infection results
67
Changed name Original name Attack type Downloads
bootstarp bootstrap permutation 35
bootsrap bootstrap truncation 33
bootstap bootstrap truncation 17
expess express truncation 10
exress express truncation 9
wepback-cli webpack-cli homograph 9
bootstra bootstrap truncation 6
moemnt moment permutation 5
bootstrp bootstrap truncation 5
webpac-cli webpack-cli truncation 5

68. Root?
68

69. Root vs Non-root installations
69

70. WTFs
● npm don’t allow deletions
● We receive petitions from packages
we didn’t upload successfully...
● Our account has “fans”
○ Systems/enterprises monitoring the
repositories
70

71. WTFs
71
2020-03-05
19:41:17.953363,123.204.x.x,False,pypi,reques
ts,requsets,3.8.2 (tags/v3.8.2:7b3ab59, Feb
25 2020, 22:45:29) [MSC v.1916 32 bit
(Intel)],Taiwan,Taipei
How many mirrors are there?
What do they mirror? Who manages them?

72. Reactions
➔ After a looooooot of time we got banned
➔ 1(,5) Email(s)
➔ Internet questions
◆ Forum
◆ Stackoverflow
72

73. Reactions
73

74. Reactions
74

75. Reactions
75

76. Reactions
➔ ¡BAN!
◆ After 30 days
76

77. Report PyPI
➔ Rate-limiting?
77

78. Report npm
78

79. Internal Threat Hunting inside npm
if dependencies_uploaded > 1000 {
sleep(2592000) # 30 days
ban()
}
79

80. Demo time!
80

81. Demo time!
81
Hay video por si acaso...
BANEADO

82. Code in GitLab
DEC-DEV-DEP
https://gitlab.com/ciberseg-uah/public/dec-dev-dep
82

83. Conclusions
➔ Repositories don’t care
➔ Developers don’t read
◆ And we are the first
83
sudo apt install <tab> <tab>

84. Recommendations
➔ Disable code execution (like RubyGems does)
➔ Mandatory with no sudo
◆ PyPI has developed measures
➔ Identify library with also developer name (like Docker Hub)
➔ Limit upload rate
➔ Limit users?
84

85. Agradecimientos
85
Cybersecurity Group UAH

86. That’s all folks!
javier.junquera@uah.es
@junquera
/in/junquera
carlos.cilleruelo@uah.es
@carloslannister
/in/carlos-cilleruelo/
86