PowerShell Gallery Vulnerabilities Enable Typosquatting and Supply Chain Attacks
A critical security lapse in Microsoft’s PowerShell Gallery code repository has come to light, creating a fertile ground for malicious actors to execute typosquatting attacks, manipulate popular package names, and potentially orchestrate large-scale supply chain attacks.
PowerShell Gallery serves as a community-driven online repository for packages, offering scripts and cmdlet modules catering to various needs within the PowerShell community. However, AquaSec’s Nautilus team has uncovered vulnerabilities in the repository’s policies, which Microsoft has yet to address despite being alerted to the issues.
The vulnerabilities originate from lenient naming policies within PowerShell Gallery. Exploiting these lax rules, malicious entities can upload packages with names strikingly similar to existing repositories, a tactic known as ‘typosquatting’. In a proof-of-concept (PoC) demonstration, the report highlights how a popular module like “AzTable,” boasting 10 million downloads, could be imitated with a slightly altered name, such as ‘Az.Table’, making it arduous for users to differentiate between the legitimate and the malicious.
Furthermore, the researchers found that spoofing package details, including Author and Copyright information, exacerbates the risks posed by typosquatting. This maneuver not only intensifies the impact of package impersonation but can also deceive users into trusting packages that appear to be created by reputable publishers.
Compounding these issues, PowerShell Gallery obscures the ‘Owner’ field under ‘Package Details’ by default. This concealment hampers users from readily discerning the publisher account responsible for uploading the package.
.jpg)
Spoofed package (left) and real module (right)
source: AquaSec
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
AquaSec’s investigations further unearthed an additional vulnerability – the potential exposure of unlisted packages/modules, typically unindexed by the Gallery’s search engine. Astonishingly, an XML file on the platform divulged comprehensive details about both listed and unlisted packages. By exploiting the API link present in the XML response, threat actors can access the complete PowerShell package database, encompassing various versions and sensitive information within unlisted packages.
API key of a big tech firm exposed on the unlisted project (AquaSec)
Mitigation
The AquaSec team responsibly disclosed these vulnerabilities to Microsoft on September 27, 2022. Despite Microsoft’s assurance of a resolution by early November, the issues persisted when verified by AquaSec on December 26, 2022. Even as of August 16, the vulnerabilities remain unaddressed, indicating the lack of implementation of a comprehensive fix.
Trending: Offensive Security Tool: Nucleimonst3r
Users of the PowerShell Gallery repository are strongly advised to adopt a series of protective measures, including execution of only signed scripts, usage of trusted private repositories, regular scans for sensitive data in module source code, and the implementation of real-time monitoring systems in cloud environments to promptly detect suspicious activities.
When queried about AquaSec’s findings, Microsoft acknowledged the report and highlighted the implementation of changes to identify and eliminate malicious packages. They emphasized users’ role in reporting suspicious packages through the designated “Report” link on the package module, while committing to continuous monitoring and a multi-layered defense approach for customer protection.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
