Argument injection bug posed RCE risk

A vulnerability put PHP dependencies at risk from attack

One of the important components of Composer, the main package manager for PHP applications, contained a vulnerability that could have been abused to attack coding repositories, researchers at SonarSource have found.

Packagist, the vulnerable component, enables Composer to determine and download software dependencies that software developers include in their projects. Composer serves approximately two billion software packages every month.

The vulnerability might potentially have been exploited to distribute malicious backdoored packages to servers, a technical blog post by SonarSource explains.

An estimated 3500,000 dependencies were threatened by the security flaw.

Fortunately, the vulnerability was resolved by project maintainers only hours after it was reported.

Argument injection

The new bug comes a year after SonarSource discovered and reported another supply chain attack vulnerability in Packagist. The previous bug was in the classes that interact with version control systems (VCS) like Git, Mercurial, and Subversion to resolve dependencies from code repositories.

While that vulnerability was patched by the maintainers of Packagist, SonarSource researchers found that other parts of the same class implementations were still prone to potential attack.

“Our previous research helped us navigate quickly to the juicy sections of the code base, but at the same time, we’ve missed this bug several times when reviewing code and patches related to our previous discovery,” Thomas Chauchefoin, a vulnerability researcher at SonarSource, told The Daily Swig.

To display information about packages, Packagist reads content from or a user-specified file in the code repository. Packagist contains separate implementations to retrieve file data from different VCS systems. Each of these implementations composes a shell command that includes content from the user-supplied file.

According SonarSource, if an attacker inserted malicious commands in the information file, they would be inserted as arguments in the shell command that ran on the system. And although Packagist uses escaping mechanisms to stop malicious code, it left some gaps open.

Supply chain attack

In a proof-of-concept video, the researchers show how the vulnerability can be exploited to run arbitrary commands on the server.

The attacker could abuse the bug to modify the definition of a package and point it to an unintended destination, tainting the software development pipeline in the process.

“Defending against argument injection bugs is very unusual compared to all the techniques we’ve been pushing to developers in the past decade, and I think that’s why we’ve been finding them a lot,” Chauchefoin commented.

“Third-party data can be encoded, escaped, and tightly validated, but that’s often not enough!”

Protect yourself

The bug was patched shortly after SonarSource reported it to Packagist. If you are using the default official Packagist instance or Private Packagist, you are already safe. If you have integrated Composer as a library and operate on untrusted repositories, you must upgrade to one of the patched versions of the library.

“Nothing changed in the year after our previous discovery, which is understandable as these are vital projects with years of work behind them,” Chauchefoin said.

“Enforcing features like the signing of any build artifact (i.e., packages) would likely introduce non-trivial changes to the workflows of millions of developers.”

Meanwhile, Chauchefoin expressed hope that more traction around new standards like sigstore might help mitigate the risks of supply chain attacks.

“Ideally, package managers should only be tubes between the maintainers and package users, and there should be no way to tamper with what's flowing inside. Signing everything is the key, and sigstore makes it much more affordable,” he said.

RELATED Nepxion Discovery software with Spring Cloud functionality fails to patch RCE, info leak bugs