The recently introduced GitHub feature can be misused to host and distribute malware (Opens in a new tab) Among the software developer community, experts claimed.
Cybersecurity researchers from Trend Micro have published a report detailing how GitHub Codespaces can be abused to deliver malicious scripts to unsuspecting developers.
He describes GitHub Codespaces, which launches in November 2022 as “a cloud-based, instant development environment that uses a container to provide you with languages, tools, and utilities for development.” In other words, developers can write and test code directly in the browser.
TCP port forwarding problems
The problem lies in the fact that Codespaces allows TCP port forwarding, which is a bona fide feature that allows developers to share their work with the public, presumably for testing. Anyone who knows the URL can access the work. So, in theory, a threat actor could run a Python web server, upload malware to Codespace, open the web server port, and set visibility as “public”.
“To validate our hypothesis about a threat modeling abuse scenario, we ran a Python-based HTTP server on port 8080, forwarded the port, and publicly disclosed it,” Trend Micro said in its report. “In the process, we easily found the URL and the absence of authentication cookies.”
Furthemore, it uses HTTP port forwarding by default, but hackers can easily set it to HTTPS to promote a false sense of security. This is made worse by the fact that GitHub is considered a trusted environment, and the traffic is coming from Microsoft, and as such likely won’t raise any antivirus alarms.
but that is not all. Codespaces feature called “Dev Containers” can also be abused to distribute malware more smoothly. This feature allows developers to create pre-made containers that contain all the dependencies needed for the project.
PC She said she was able to build a malicious web server with Codespaces “in less than 10 minutes, with no experience with the feature”.
Trend Micro concluded, “With such scripts, attackers can easily abuse GitHub Codespaces into serving malicious content at a rapid rate by publicly exposing ports in their codespace environments. Because each Codespace generated has a unique identifier, the scope The associated sub is also unique.” “This gives the attacker enough ground to create different instances of open directories.”
GitHub does not currently address this issue on its channels.
Via: BleepingComputer (Opens in a new tab)