Entry points in open source packages across multiple programming languages can be abused for code execution, leading to supply chain attacks, web application security firm Checkmarx warns.
In Python, for instance, entry points are designed as a mechanism for exposing specific package functionality, enabling developers to create command-line scripts to be executed after package installation, and can be used in applications to load plugins that provide additional functionality.
“The most popular kind of entry point is console_scripts, which points to a function that you want to be made available as a command-line tool to whoever installs your package,” Checkmarx explains.
Upon package installation, entry points are recorded in the package’s metadata and other packages can query the metadata to discover and use them.
“If an attacker can manipulate a legitimate package’s metadata or convince a user to install a malicious package, they can potentially execute arbitrary code on the user’s system whenever the defined command or plugin is invoked,” the security firm says.
Attackers could rely on command-jacking, malicious plugins, and malicious extensions to exploit Python entry points to convince users to execute malicious code.
Threat actors can build malicious packages that rely on entry points to pose as popular third-party tools, targeting developers who frequently use such tools in workflows.
“For instance, an attacker might create a package with a malicious ‘aws’ entry point. When unsuspecting developers who regularly use AWS services install this package and later execute the aws command, the fake ‘aws’ command could exfiltrate their AWS access keys and secrets,” Checkmarx explains.
Malicious packages could impersonate commands used in various development environments, such as docker, npm, pip, git, kubectl, terraform, gcloud, heroku, and dotnet. They could also impersonate system utilities by using command names such as touch, curl, cd, ls, and mkdir, among others.
While the impersonation of system utilities increases the chances of users accidentally executing the code, it also increases the risks of failure (if the entry point does not appear earlier in the package’s PATH than the system directories) and discovery (if the expected command is not executed).
To avoid suspicion, however, attackers can create entry points that act as wrappers for the original command, which will be executed along with the malicious code, thus maintaining the appearance of normal operation.
According to Checkmarx, attackers can also create seemingly helpful plugins that use the entry points of popular tools and frameworks, such as pytest, to inject malicious code.
“The malicious plugin could then stealthily run malicious code in the background during testing. The malicious plugin could also override pytest’s assertion comparison, causing, for example, all equality checks to pass regardless of their actual values, leading to false positives in test results, allowing buggy or vulnerable code to pass quality checks unnoticed,” the security firm explains.
Additionally, malicious extensions for popular development tools, such as Flake8, could target entry points, leading to harmful behavior, malicious code injection, or operation results manipulation.
Checkmarx notes that entry points can be exploited in supply chain attacks targeting major ecosystems, including Dart Pub, npm (JavaScript), NuGet (.NET), Ruby Gems, and Rust Crates.
Related: Cryptocurrency Wallets Targeted via Python Packages Uploaded to PyPI
Related: Dependency Confusion Could Have Led to RCE in Google Cloud Platform
Related: Dell Announces New Supply Chain Security Offerings
Related: Code Execution Vulnerability Impacts Linux Package Manager