A MavenGate attack allows hackers to hijack Java and Android via abandoned libraries

Java and Android Apps

Several public and popular libraries that have been abandoned but are still used in Java and Android applications have proven susceptible to a new software supply chain attack method called MavenGate.

“Access to projects can be hijacked by purchasing domain names and since most default build configurations are vulnerable, it would be difficult or even impossible to know if an attack was being launched,” Oversecured says. said in an analysis published last week.

Successful exploitation of these flaws could allow nefarious actors to hijack dependency artifacts and inject malicious code into the application, and worse, even compromise the build process via a malicious plugin.

The mobile security company added that all Maven-based technologies, including Gradle, are vulnerable to the attack and that it has sent reports to more than 200 companies, including Google, Facebook, Signal, Amazon and others.

Apache Maven does mainly used for building and managing Java-based projects, allowing users to download and manage dependencies (uniquely identified by their groupIds), create documentation, and perform release management.

Although repositories hosting such dependencies can be private or publican attacker could target the latter to conduct supply chain poisoning attacks by leveraging abandoned libraries added to known repositories.

In concrete terms, it involves buying the expired ones reverse domain controlled by the dependency owner and gaining access to the groupId.

“An attacker can gain access to a vulnerable groupId by asserting rights to it via a DNS TXT record in a repository where no account exists that controls the vulnerable groupId,” ​​the company said.

“If a groupId is already registered with the repository, an attacker can attempt to access that groupId by contacting the repository’s support team.”

To test the attack scenario, Oversecured has its own test Android library (groupId: “com.oversecured”), which displays the toast message “Hello World!” , uploaded to Maven Central (version 1.0), while two versions are also uploaded to JitPack , with version 1.0 being a replica of the same library published on Maven Central.

But version 1.1 is an edited “untrusted” copy that also has the same groupId, but points to a GitHub repository under their control and is claimed by adding a DNS TXT record to point to the GitHub username to draw up proof of ownership.

The attack then works by adding both Maven Central and JitPack to the list of dependency repositories in the Gradle build script. It is worth noting at this stage that the order of declaration determines how Gradle checks for dependencies at runtime.

“When we moved the JitPack repository above mavenCentral, version 1.0 was downloaded from JitPack,” the researchers said. “Changing the library version to 1.1 resulted in using the JitPack version regardless of JitPack’s position in the repository list.”

As a result, an adversary looking to corrupt the software chain can target existing versions of a library by publishing a higher version, or against new versions by pushing a version lower than that of its legitimate counterpart.

This is another form of a dependency confusion attack in which an attacker publishes a rogue package to a public package repository with the same name as a package within the targeted private repository.

“Most applications do not check the digital signature of dependencies, and many libraries do not even publish them,” the researchers added. “If the attacker wants to remain undetected for as long as possible, it makes sense to release a new version of the library with the malicious code embedded in it, and wait for the developer to upgrade to it.”

Of the total 33,938 domains analyzed, 6,170 (18.18%) were found to be vulnerable to MavenGate, allowing threat actors to hijack the dependencies and inject their own code.

Sonatype, owner of Maven Central, said the attack strategy outlined “is not feasible due to existing automation,” but noted that it has “disabled all accounts associated with expired domains and GitHub projects” as a security measure.

It further said it was addressing a “regression in the public key validation process” that allowed artifacts to be uploaded to the repository with a non-publicly shared key. It has also announced plans to partner with SigStore to digitally sign the components.

“The end developer is not only responsible for securing direct dependencies, but also for transitive dependencies,” Oversecured said.

“Library developers should be responsible for the dependencies they declare and also write public key hashes for their dependencies, while the end developer should only be responsible for their direct dependencies.”

#MavenGate #attack #hackers #hijack #Java #Android #abandoned #libraries

Notify of
Inline Feedbacks
View all comments
Previous Post
Apple releases patch for critical Zero-Day on iPhones and Macs

Apple releases patch for critical Zero-Day on iPhones and Macs

Next Post
RokRAT Backdoor

North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor

Related Posts