This repository has been archived by the owner on Jul 16, 2020. It is now read-only.
forked from pypa/pip
-
Notifications
You must be signed in to change notification settings - Fork 2
Arbitrary package attacks for pip without TUF
Trishank Karthik Kuppusamy edited this page Sep 21, 2013
·
5 revisions
In an arbitrary package attack, we show pip packages with dubious origins. These are malicious packages which an attacker has overwritten over benign packages in order to deceive users into installing them.
First, we set up the virtual environment (for cleanroom testing) and install pip-without-TUF:
$ cd /tmp
$ curl -O https://pypi.python.org/packages/source/v/virtualenv/virtualenv-1.10.1.tar.gz
$ tar xvfz virtualenv-1.10.1.tar.gz
$ python virtualenv-1.10.1/virtualenv.py --no-site-packages arbitrary-package-without-tuf
$ source arbitrary-package-without-tuf/bin/activateFirst, suppose the attackers on PyPI tamper with the FooBar 0.1 package, and update the FooBar simple index with the correct hash of the tampered package:
$ pip install FooBar --index-url http://mirror1.poly.edu/test-pip/arbitrary-package/repository.current/targets/simple/
Downloading/unpacking FooBar
Downloading FooBar-0.1.tar.gz
Running setup.py egg_info for package FooBar
Installing collected packages: FooBar
Running setup.py install for FooBar
TAMPERED FooBar 0.1
Successfully installed FooBar
Cleaning up...Unfortunately, this user has now been compromised with a malicious FooBar package. This situation could have been avoided with the arbitrary package attack protection offered by PyPI-with-TUF.