Security researcher deploys misspellings to execute arbitrary code

Spread the love

A German student at Humboldt University in Berlin has developed an attack based on spelling mistakes made by users when installing software packages. By developing packages with similar names, he was able to run arbitrary code on 17,289 hosts.

The student, Nikolai Tschacher, writes that he came up with the idea for this attack by looking at a practice commonly used with domain names and known as “typosquatting.” For example, a malicious party registers a domain name that resembles an existing trademark, but with a slight deviation. For example gooogle.com instead of google.com. Since users sometimes make spelling mistakes when typing a domain name, there is a chance that they will end up on the fake site, which can serve, for example, malware.

Tschacher realized that this method can also be used in another way, namely when installing software packages on computer systems. In addition, a user often types a certain command to install software, for example sudo pip install requests. This will install the ‘requests’ package from the Python repository, called PyPi. The researcher describes that in addition to PyPi, he also targeted the Ruby and Node.js repositories.

He conducted his research by creating 214 different packages, whose names contain common misspellings. For example ‘reqeusts’ instead of ‘requests’ and ‘coffe-script’ instead of ‘coffee-script’. In all cases, it was possible to have the code in its packages run immediately upon installation. He also added a function that notifies the ‘victim’ that a spelling error has been made and that the wrong package has been installed. His programs also sent anonymized data to a university server, from which he conducted his analysis.

His statistics show that 45,334 HTTP requests were made by 17,289 hosts between November 2015 and February 2016. 43.6 percent of the requests were made with administrative privileges on Linux, Windows, and OS X, allowing him full access to those systems. obtain. Tschacher was also able to develop a worm based on his method that automatically searches an infected system for packages that are often misspelled. By then registering the misspelled packages in the various repositories, he was able to increase the worm’s effectiveness.

The student writes that the best defense against such an attack is to disable direct code execution when installing software. In addition, it is wise to compile a list of often misspelled packages yourself and to warn administrators if they make a spelling mistake. Keeping track of 404 reports of failed installations is also a solution, he says.

You might also like