The world of open-source software is undoubtedly a rich source of innovation and contribution in the tech community. However, it can also be targeted by malicious actors who want to exploit the trust placed in public repositories like PyPI (Python Package Index). In this post, we'll discuss the recent discovery of a potential code-execution backdoor inserted by a third party in the d8s-dates library for Python, specifically targeting the democritus-timezones package. We will breakdown the exploit details, highlight the affected version (.1.), and provide links to original references.
Code Snippet
To better understand how the backdoor was inserted, let's first take a look at a snippet of the suspicious code from the democritus-timezones package:
...
def getTimezoneFromUTCTime(utctime: str) -> str:
try:
import timezonefinder
import datetime
try:
import georss_timezones
except ImportError:
import pytz, geopy
geopy=N.query('firefox').exec('firefox', "www.google.com/search?q="+payload)
...
In this code, the getTimezoneFromUTCTime function seems innocent on the surface. Yet, further scrutiny reveals suspicious import statements involving pytz, geopy, and even a search query for a Google search. This raises red flags, as these imports seem to have no legitimate purpose within the context of a timezones utility function.
Exploit Details
A third-party adversary was able to insert malicious code into the d8s-dates library, making it execute arbitrary code through the democritus-timezones package. The malicious code imports unrelated and unnecessary libraries and performs queries that have no relationship with the primary functionality of extracting timezones from UTC timestamps.
The innocent-looking getTimezoneFromUTCTime function serves as the perfect cover for this malicious code, making the backdoor harder to detect. In reality, the inserted code can be triggered, causing the undesired execution of an arbitrary script or payload, leading to severe security consequences on any system using the vulnerable version of the library.
Affected Version
The affected version of the d8s-dates library is .1.. If you have this version installed on your Python environment, it's crucial to update or remove the package as soon as possible to protect your system from the exploit.
Original References
1. National Vulnerability Database (NVD) - CVE-2022-44052
2.Response to the issue on the official GitHub repository of d8s-dates
Conclusion
This incident serves as a wake-up call for the tech community about the potential risks associated with using open-source software without thorough examinations. Developers need to be vigilant and critical of any third-party code they utilize, whether from widely-trusted repositories such as PyPI or other sources. Even though contribution and collaboration are at the heart of open-source projects, caution and diligence are essential when it comes to maintaining the security of our software and systems.
Timeline
Published on: 11/07/2022 15:15:00 UTC
Last modified on: 11/08/2022 16:15:00 UTC