Security Researcher put misspellings in order to execute arbitrary code

Jun

9

2016

A German student from Berlin’s Humboldt University has developed an attack based on misspellings that make users to install software packages. By packages to develop, he managed to carry out 17 289 hosts arbitrary code similar names.

The student, Nikolai Tschacher, writes that he came up with the idea for this attack by watching a practice that is often used in domain names and known as’ typosquatting. Thereby registering a malicious party eg a domain name similar to an existing brand, but with a slight deviation. Gooogle.com example, instead of google.com. Because users sometimes make spelling errors when typing a domain name, chances are that they end up in the spoof site, for example, malware can serve.

Tschacher realized that this method can also be used in another way, namely the installation of software packages on computer systems. Thereby often type a user to install a specific command software such as sudo pip install requests. Thus the ‘requests’ package is installed from Python repository called PyPI. The researcher reports that he also Ruby and Node.js repositories is being targeted next PyPI.

He conducted his research by creating 214 different packages whose names include common misspellings. For example, “reqeusts ‘instead of’ requests ‘and’ coffe script ‘instead of’ coffee-script. In all cases it was possible to let the code immediately turns off in its carry packages in the installation. It also added a function that the victim was informed of the fact that there is a spelling mistake was made and that the wrong package is installed. Its programs also sent anonymous data to a server of the University, according to which he conducted his analysis.

His statistics show that 45 334 17 289 http requests by hosts were conducted between November 2015 and February 2016. 43.6 percent of the requests were run with administrator privileges on Linux, Windows and OS X. As a result, he had full access to those systems obtain. Tschacher was also able to develop a worm based on his method that automatically searches for an infected system to packages that are often wrongly spelled. The misspelled packages then register in the various repositories, he could increase the effectiveness of the worm.

The student writes that the best defense against such an attack disabling the direct execution of code in the software installation. In addition, it is wise to draw up a list of commonly misspelled packages and warn administrators if they make a spelling mistake. Also track 404s of failed installations is a solution, he says

Viewing:-113

In: Technology & Gadgets Asked By: [15768 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »