RyotaK's Blog 技術的な話とか
タグ Vulnerability を持つ記事:

Stealing GitHub staff's access token via GitHub Actions

(この記事は日本語でも読むことが出来ます。)

Disclaimer

GitHub is running a bug bounty program on HackerOne, and as part of this program, vulnerability research is permitted by the safe harbor.
This article describes a vulnerability that I discovered as a result of my investigation in compliance with the safe harbor criteria and is not intended to encourage unauthorized vulnerability research activities.
If you find a vulnerability on GitHub, please report it to GitHub Bug Bounty.

TL;DR

In the actions/runner repository, which hosts the source code for the GitHub Actions runner, there was a flaw in the usage of the self-hosted runner, which allowed me to steal the Personal Access Token from GitHub Actions.
Since this token was tied to the GitHub staff account, I could perform various actions as a GitHub staff.
This potentially allowed the insertion of malicious code into repositories such as actions/checkout and actions/cache, which might affect many repositories that use GitHub Actions.

Arbitrary package tampering in Deno registry + Code Injection in encoding/yaml

(この記事は日本語でも読むことが出来ます。)

Disclaimer

Deno Land Inc., which develops Deno, isn’t running bug bounty programs, so they don’t explicitly allow vulnerability assessments.

This article describes the vulnerabilities that were reported as potential vulnerabilities, using publicly available information. This was done without actually exploiting/demonstrating the vulnerabilities and it’s not intended to encourage you to perform an unauthorized vulnerability assessment.
If you find any vulnerabilities in Deno-related services/products, please report them to engineering@deno.com.1

Also, the information contained in this article may be inaccurate because the information of a vulnerability couldn’t be validated.2

TL;DR

I found a vulnerability that could be used to read arbitrary files from the system running deno.land/x, and a Code Injection in encoding/yaml of Deno.
Of these, if the vulnerability in deno.land/x was exploited, the AWS credentials used to store the module in S3 could be stolen, resulting in arbitrary package tampering in deno.land/x.

Tampering with arbitrary packages in @types scope of npm

Preface

Definitely Typed, a project which manages npm packages inside the @types scope, is supported by Microsoft. However, it is not in the scope of the safe harbor for Microsoft’s bug bounty program.1

This article describes the vulnerabilities that were reported as potential vulnerabilities, using publicly available information. This was done without actually exploiting / demonstrating the vulnerabilities.

This article is not intended to encourage you to perform an unauthorized vulnerability assessment.
If you find any vulnerabilities in Definitely Typed related products, please report them to members of Definitely Typed.

TL;DR

There were vulnerabilities in the pull request management bot of Definitely Typed, which allowed an attacker to merge a malicious pull request into DefinitelyTyped/DefinitelyTyped.
This would result in tampering with arbitrary packages under the @types scope of npm.

Potential remote code execution in PyPI

Preface

(日本語版も公開されています。)

While PyPI has a security page, they don’t have a clear policy for vulnerability assessments.1
This article describes the vulnerabilities that were reported as potential vulnerabilities, using publicly available information. This was done without actually exploiting / demonstrating the vulnerabilities.

This article is not intended to encourage you to perform an unauthorized vulnerability assessment.
If you find any vulnerabilities in PyPI, please report them to security@python.org.2

TL;DR

There was a vulnerability in GitHub Actions of PyPI’s repository, which allowed a malicious pull request to execute an arbitrary command.
This allows an attacker to obtain write permission against the repository, which could lead to arbitrary code execution on pypi.org.

Remote code execution in cdnjs of Cloudflare

Preface

(日本語版も公開されています。)

Cloudflare, which runs cdnjs, is running a “Vulnerability Disclosure Program” on HackerOne, which allows hackers to perform vulnerability assessments.
This article describes vulnerabilities reported through this program and published with the permission of the Cloudflare security team.
So this article is not intended to recommend you to perform an unauthorized vulnerability assessment.
If you found any vulnerabilities in Cloudflare’s product, please report it to Cloudflare’s vulnerability disclosure program.

TL;DR

There was a vulnerability in the cdnjs library update server that could execute arbitrary commands, and as a result, cdnjs could be completely compromised.
This allows an attacker to tamper 12.7%1 of all websites on the internet once caches are expired.

Remote code execution in Homebrew by compromising the official Cask repository

この記事は日本語でも投稿されています: https://blog.ryotak.net/post/homebrew-security-incident/
(もし日本語が読める場合、筆者は英語がそこまで得意ではないため、日本語の記事を読むことをお勧めします。)

(Official blog post about this incident is available here: https://brew.sh/2021/04/21/security-incident-disclosure/)

Preface

Homebrew project is running a “Vulnerability Disclosure Program” on HackerOne, which allows hackers to perform the vulnerability assessment.
This article describes a vulnerability assessment that is performed with permission from the Homebrew project’s staff and is not intended to recommend you to perform an unauthorized vulnerability assessment.
If you found any vulnerabilities in Homebrew, please report it to Homebrew project’s vulnerability disclosure program.