如何使用Packj检测恶意或高风险的开源软件包

开发 前端
Packj工具支持识别当前热门开源软件管理工具中提供的软件代码包,比如说NPM、RubyGems和PyPI等。在该工具的帮助下,我们可以持续审查软件包并获取免费的风险评估报告。

关于Packj

Packj是一款功能强大的代码安全检测工具,该工具本质上是一个命令行接口工具套件,可以帮助广大研究人员检测软件代码包中潜在的恶意或高风险代码,旨在缓解软件供应链攻击。该工具支持识别当前热门开源软件管理工具中提供的软件代码包,比如说NPM、RubyGems和PyPI等。在该工具的帮助下,我们可以持续审查软件包并获取免费的风险评估报告。

工具下载

由于该工具基于Python 3开发,因此我们首先需要在本地设备上安装并配置好Python 3环境。接下来,使用下列命令将该项目源码克隆至本地:

git clone https://github.com/anil-yelken/Vulnerable-Soap-Service.git

Packj提供了下列工具:

Audit:用于检测软件代码包中的高位风险属性;

Sandbox:用于安全安装软件包的环境;

$ python3 main.py --help

usage: main [options] args



options:

audit Audit a package for malware/risky attributes

sandbox Sandbox package installation to mitigate risks

工具使用

审计一个代码包

Packj可以审计开源软件包的“高风险”属性,即可能会让其容易受到供应链攻击的各种因素。比如说,包含过期电子邮件的包(缺少2FA)、发布时间间隔太长、敏感API或访问权限问题等。

工具支持审计下列内容:

多个软件包:

python3 main.py -p pypi:requests rubygems:overcommit

依赖文件:

python3 main.py -f npm:package.json pypi:requirements.txt

我们还可以在一个Docker/Podman容器中执行审计操作:

$ docker run -v /tmp:/tmp/packj -it ossillate/packj:latest audit --trace -p npm:browserify



[+] Fetching 'browserify' from npm...OK [ver 17.0.0]

[+] Checking version...ALERT [598 days old]

[+] Checking release history...OK [484 version(s)]

[+] Checking release time gap...OK [68 days since last release]

[+] Checking author...OK [mail@substack.net]

[+] Checking email/domain validity...ALERT [expired author email domain]

[+] Checking readme...OK [26838 bytes]

[+] Checking homepage...OK [https://github.com/browserify/browserify#readme]

[+] Checking downloads...OK [2.2M weekly]

[+] Checking repo_url URL...OK [https://github.com/browserify/browserify]

[+] Checking repo data...OK [stars: 14077, forks: 1236]

[+] Checking repo activity...OK [commits: 2290, contributors: 207, tags: 413]

[+] Checking for CVEs...OK [none found]

[+] Checking dependencies...ALERT [48 found]

[+] Downloading package 'browserify' (ver 17.0.0) from npm...OK [163.83 KB]

[+] Analyzing code...ALERT [needs 3 perms: process,file,codegen]

[+] Checking files/funcs...OK [429 files (383 .js), 744 funcs, LoC: 9.7K]

[+] Installing package and tracing code...OK [found ['process', 'files', 'network'] syscalls]

=============================================

[+] 5 risk(s) found, package is undesirable!



=> Complete report: /tmp/packj_54rbjhgm/report_npm-browserify-17.0.0_hlr1rhcz.json

{

"undesirable": [

"old package: 598 days old",

"invalid or no author email: expired author email domain",

"generates new code at runtime",

"reads files and dirs",

"forks or exits OS processes",

]

}

软件包沙箱安装

Packj提供了一个轻量级沙箱环境,可以用于安全地安装和测试软件包。具体而言,它可以防止恶意软件包提取敏感数据、访问敏感文件(如SSH密钥)以及植入持久化恶意软件等。操作命令如下:

$ python3 main.py sandbox gem install overcommit



Fetching: overcommit-0.59.1.gem (100%)

Install hooks by running `overcommit --install` in your Git repository

Successfully installed overcommit-0.59.1

Parsing documentation for overcommit-0.59.1

Installing ri documentation for overcommit-0.59.1



#############################

# Review summarized activity

#############################



[+] Network connections

[+] DNS (1 IPv4 addresses) at port 53 [rule: ALLOW]

[+] rubygems.org (4 IPv6 addresses) at port 443 [rule: IPv6 rules not supported]

[+] rubygems.org (4 IPv4 addresses) at port 443 [rule: ALLOW]

[+] Filesystem changes

/

└── home

└── ubuntu

└── .ruby

├── gems

│ ├── iniparse-1.5.0 [new: DIR, 15 files, 46.6K bytes]

│ ├── rexml-3.2.5 [new: DIR, 77 files, 455.6K bytes]

│ ├── overcommit-0.59.1 [new: DIR, 252 files, 432.7K bytes]

│ └── childprocess-4.1.0 [new: DIR, 57 files, 141.2K bytes]

├── cache

│ ├── iniparse-1.5.0.gem [new: FILE, 16.4K bytes]

│ ├── rexml-3.2.5.gem [new: FILE, 93.2K bytes]

│ ├── childprocess-4.1.0.gem [new: FILE, 34.3K bytes]

│ └── overcommit-0.59.1.gem [new: FILE, 84K bytes]

├── specifications

│ ├── rexml-3.2.5.gemspec [new: FILE, 2.7K bytes]

│ ├── overcommit-0.59.1.gemspec [new: FILE, 1.7K bytes]

│ ├── childprocess-4.1.0.gemspec [new: FILE, 1.8K bytes]

│ └── iniparse-1.5.0.gemspec [new: FILE, 1.3K bytes]

├── bin

│ └── overcommit [new: FILE, 622 bytes]

└── doc

├── iniparse-1.5.0

│ └── ri [new: DIR, 119 files, 131.7K bytes]

├── rexml-3.2.5

│ └── ri [new: DIR, 836 files, 841K bytes]

├── overcommit-0.59.1

│ └── ri [new: DIR, 1046 files, 1.5M bytes]

└── childprocess-4.1.0

└── ri [new: DIR, 272 files, 297.8K bytes]



[C]ommit all changes, [Q|q]uit & discard changes, [L|l]ist details:

恶意软件检测

在测试该工具的时候,我们成功地在PyPI上搜索出了40个恶意软家包,其中有部分已经被下架了:

$ python3 main.py audit pypi:krisqian

[+] Fetching 'krisqian' from pypi...OK [ver 0.0.7]

[+] Checking version...OK [256 days old]

[+] Checking release history...OK [7 version(s)]

[+] Checking release time gap...OK [1 days since last release]

[+] Checking author...OK [KrisWuQian@baidu.com]

[+] Checking email/domain validity...OK [KrisWuQian@baidu.com]

[+] Checking readme...ALERT [no readme]

[+] Checking homepage...OK [https://www.bilibili.com/bangumi/media/md140632]

[+] Checking downloads...OK [13 weekly]

[+] Checking repo_url URL...OK [None]

[+] Checking for CVEs...OK [none found]

[+] Checking dependencies...OK [none found]

[+] Downloading package 'KrisQian' (ver 0.0.7) from pypi...OK [1.94 KB]

[+] Analyzing code...ALERT [needs 3 perms: process,network,file]

[+] Checking files/funcs...OK [9 files (2 .py), 6 funcs, LoC: 184]

=============================================

[+] 6 risk(s) found, package is undesirable!

{

"undesirable": [

"no readme",

"only 45 weekly downloads",

"no source repo found",

"generates new code at runtime",

"fetches data over the network: ['KrisQian-0.0.7/setup.py:40', 'KrisQian-0.0.7/setup.py:50']",

"reads files and dirs: ['KrisQian-0.0.7/setup.py:59', 'KrisQian-0.0.7/setup.py:70']"

]

}

=> Complete report: pypi-KrisQian-0.0.7.json

=> View pre-vetted package report at https://packj.dev/package/PyPi/KrisQian/0.0.7

其中,Packj将KrisQian(v0.0.7)标记为可疑,因为在包安装期间(在setup.py中)缺少源代码库和使用敏感API(用于网络通信、代码生成)。经过进一步研究和分析,我们验证了这个代码包确实是存在安全问题的。

许可证协议

本项目的开发与发布遵循AGPL-3.0开源许可证协议。

项目地址

Packj:【GitHub传送门】

参考资料

https://packj.dev/

https://www.you*tube.com/watch?v=Rcuqn56uCDk

https://speakerdeck.com/ashishbijlani/pyconus22-slides

https://www.blackhat.com/asia-22/arsenal/schedule/#mitigating-open-source-software-supply-chain-attacks-26241

https://www.blackhat.com/us-22/arsenal/schedule/#detecting-typo-squatting-backdoored-abandoned-and-other-risky-open-source-packages-using-packj-28075

https://osseu2022.sched.com/overview/type/SupplyChainSecurityCon

https://nullcon.net/goa-2022/unearthing-malicious-and-other-risky-open-source-packages-using-packj

https://www.you*tube.com/watch?v=PHfN-NrUCoo?

https://speakerdeck.com/ashishbijlani/mitigating-open-source-software-supply-chain-attacks

责任编辑:武晓燕 来源: FreeBuf.COM
相关推荐

2023-12-27 11:11:15

2020-12-29 09:37:41

漏洞网络安全网络攻击

2012-02-29 09:25:30

2020-09-23 09:27:07

等保2.0网络安全恶意代码

2012-06-01 14:29:23

Platform

2022-04-29 14:19:10

网络专家网络攻击

2021-09-07 09:40:39

漏洞网络安全代码

2018-10-18 11:26:17

2021-09-29 15:30:20

安全工具PackageDNA软件包安全性

2024-03-28 11:34:23

2021-02-02 15:22:42

品高存储预警

2021-10-29 05:35:43

AkamaiAPI漏洞

2015-12-02 10:18:08

2009-12-16 10:25:14

sage开源软件包

2021-01-20 16:01:44

大数据违法边检机关

2022-09-16 14:26:56

恶意软件网络攻击

2022-09-25 12:48:28

Python恶意软件

2014-01-15 10:32:56

2017-02-27 18:59:37

LinuxYum软件包信息

2009-06-12 21:56:27

点赞
收藏

51CTO技术栈公众号