RootedCON 2020 talk. In this talk, we showed the research about software dependencies that led us to rule the world for a day. Surprisingly, we could take control of more than 800 developer machines in less than 24 hours with the collusion of the most famous software dependency repositories... And with the "collaboraiton" of the developers ;)
6. Background
● How many apps have problems with
homograph attacks?
● How developer software is dealing with it?
○ IDEs
○ Text Editor
○ Programing languages
6
31. Fuzzer
➔ change_similar(homográficos,h𝐨mográficos,changing o by
b'xf0x9dx90xa8')
➔ homophonic(homofonicos,houmoufounicous,o sounds like ou)
➔ gen_deletions(truncar,tuncar,0, 1)
➔ gen_permutations(permutar,premutar,permuting char at 1)
➔ duplicates(duplicar,dupplicar,2)
➔ gen_case(caselogic,caseloGic,6)
➔ add_spaces(spaces,s<U+180E>paces,inserting space
b'xe1xa0x8e' at position 1)
➔ rtl(ltr,<U+202D>rtl,inserting b'e280ad' at position 0)
31
33. Uploading
➔ Let's upload everything
◆ UNICODE not allowed :(
◆ “Spaces not allowed”
◆ But… everything else:
● No limit, no control :)
◆ Remember academia
33
34. Dependencies selection
● Top 10
○ PyPI
○ NPM
● Some we consider complicated to write
○ Who t.f. chose psycopg2-binaries?
34
35. Packages creation
You have commited an error installing
the dependency `{original_name}`,
and have installed `{new_name}`.
If `{new_name}` had mailicious code,
you would have been pwned.
This file has been generated by
`{new_name}` for advertising you, and
we have no made any change in your
system.
35
Fix: you just need to delete the
dependency
`{new_name}` and
install `{original_name}`.
{new_name} is part of a research
about
attack in dependecies names.
For more information about it
contact javier@junquera.xyz
36. Telemetry
➔ User profile (Root | Not)
➔ Package manager (pypi | npm)
➔ Original name
➔ Modified name
➔ OS version
➔ Country, ~City (RGPD IP)
◆ It is difficult asking for consent :)
36